To start off with, I had 8.6. I have a multi-server setup with 2x LDAP, 2x mailstore, and 2x MTA\Proxy. When I noticed high CPU usage, I looked around and found some forum threads and blogs. This was a couple weeks ago.
I installed the 8.6 patch and thought I had cleaned it, but apparently not. A couple days ago, I moved to 8.8.12 because I was seeing other weird issues.
Apparently, the servers weren't clean. Well, I only saw symptoms on one mailstore. The other has seemed clean the whole time. I've ran `dpkg -l zimbra* | grep ^ii | awk '{print $2}' | xargs debsums -c` to see what files may be different. There are several files different on both servers (known infected at one point and the other assumed never infected) that show changed. Given the second mailstore hasn't shown above a 1.0 load on a 4 CPU system during any of this, I'm assuming it's clean. The infected server often showed a load well into the 30s and 40s. Anyway, I only saw one file different between them, "/opt/zimbra/jetty_base/webapps/zimbra/public/login.jsp". Is that likely infected?
Code: Select all
Known infected server
root@Zimbra8-Mailstore1:/home/mhammett# dpkg -l zimbra* | grep ^ii | awk '{print $2}' | xargs debsums -c
/opt/zimbra/conf/localconfig.xml
/opt/zimbra/libexec/zmdiaglog
/opt/zimbra/libexec/zmmailboxdmgr
/opt/zimbra/libexec/zmmailboxdmgr.unrestricted
/opt/zimbra/bin/zmthrdump
/opt/zimbra/bin/zmplayredo
/opt/zimbra/jetty_base/webapps/zimbraAdmin/WEB-INF/classes/messages/ZaMsg.properties
/opt/zimbra/jetty_base/webapps/zimbraAdmin/WEB-INF/jetty-env.xml
/opt/zimbra/jetty_base/webapps/zimbraAdmin/WEB-INF/web.xml
/opt/zimbra/jetty_base/webapps/service/WEB-INF/web.xml
/opt/zimbra/jetty_base/webapps/zimbra/WEB-INF/jetty-env.xml
/opt/zimbra/jetty_base/webapps/zimbra/WEB-INF/web.xml
/opt/zimbra/jetty_base/webapps/zimbra/public/login.jsp
/opt/zimbra/jetty_base/work/zimbra/jsp/org/apache/jsp/public_/Boot_jsp.class
/opt/zimbra/jetty_base/work/zimbra/jsp/org/apache/jsp/public_/Boot_jsp.java
/opt/zimbra/jetty_base/work/zimbra/jsp/org/apache/jsp/public_/Resources_jsp.class
/opt/zimbra/jetty_base/work/zimbra/jsp/org/apache/jsp/public_/Resources_jsp.java
/opt/zimbra/jetty_base/work/zimbra/jsp/org/apache/jsp/public_/error_jsp.class
/opt/zimbra/jetty_base/work/zimbra/jsp/org/apache/jsp/public_/error_jsp.java
/opt/zimbra/jetty_base/work/zimbra/jsp/org/apache/jsp/public_/launchZCS_jsp.class
/opt/zimbra/jetty_base/work/zimbra/jsp/org/apache/jsp/public_/launchZCS_jsp.java
/opt/zimbra/jetty_base/work/zimbra/jsp/org/apache/jsp/public_/login_jsp.class
/opt/zimbra/jetty_base/work/zimbra/jsp/org/apache/jsp/public_/login_jsp.java
/opt/zimbra/common/etc/java/cacerts
debsums: missing file /opt/zimbra/lib/patches/nginx-lookup.jar (from zimbra-patch package)
/opt/zimbra/common/lib/perl5/XML/SAX/ParserDetails.ini
/opt/zimbra/lib/ext/nginx-lookup/nginx-lookup.jar
root@Zimbra8-Mailstore1:/home/mhammett# ls -hal /opt/zimbra/jetty_base/webapps/zimbra/public/login.jsp
-rwxrwxrwx 1 zimbra zimbra 41K Jun 14 02:37 /opt/zimbra/jetty_base/webapps/zimbra/public/login.jsp
root@Zimbra8-Mailstore1:/home/mhammett# md5sum /opt/zimbra/jetty_base/webapps/zimbra/public/login.jsp
3c497b19d993c008f4211514a6bf21c0 /opt/zimbra/jetty_base/webapps/zimbra/public/login.jsp
Code: Select all
Assumed clean server
root@Zimbra8-Mailstore2:/home/mhammett# dpkg -l zimbra* | grep ^ii | awk '{print $2}' | xargs debsums -c
/opt/zimbra/conf/localconfig.xml
/opt/zimbra/libexec/zmdiaglog
/opt/zimbra/libexec/zmmailboxdmgr
/opt/zimbra/libexec/zmmailboxdmgr.unrestricted
/opt/zimbra/bin/zmthrdump
/opt/zimbra/bin/zmplayredo
/opt/zimbra/jetty_base/webapps/zimbraAdmin/WEB-INF/classes/messages/ZaMsg.properties
/opt/zimbra/jetty_base/webapps/zimbraAdmin/WEB-INF/jetty-env.xml
/opt/zimbra/jetty_base/webapps/zimbraAdmin/WEB-INF/web.xml
/opt/zimbra/jetty_base/webapps/service/WEB-INF/web.xml
/opt/zimbra/jetty_base/webapps/zimbra/WEB-INF/jetty-env.xml
/opt/zimbra/jetty_base/webapps/zimbra/WEB-INF/web.xml
/opt/zimbra/jetty_base/work/zimbra/jsp/org/apache/jsp/public_/Boot_jsp.class
/opt/zimbra/jetty_base/work/zimbra/jsp/org/apache/jsp/public_/Boot_jsp.java
/opt/zimbra/jetty_base/work/zimbra/jsp/org/apache/jsp/public_/Resources_jsp.class
/opt/zimbra/jetty_base/work/zimbra/jsp/org/apache/jsp/public_/Resources_jsp.java
/opt/zimbra/jetty_base/work/zimbra/jsp/org/apache/jsp/public_/error_jsp.class
/opt/zimbra/jetty_base/work/zimbra/jsp/org/apache/jsp/public_/error_jsp.java
/opt/zimbra/jetty_base/work/zimbra/jsp/org/apache/jsp/public_/launchZCS_jsp.class
/opt/zimbra/jetty_base/work/zimbra/jsp/org/apache/jsp/public_/launchZCS_jsp.java
/opt/zimbra/jetty_base/work/zimbra/jsp/org/apache/jsp/public_/login_jsp.class
/opt/zimbra/jetty_base/work/zimbra/jsp/org/apache/jsp/public_/login_jsp.java
/opt/zimbra/common/etc/java/cacerts
debsums: missing file /opt/zimbra/lib/patches/nginx-lookup.jar (from zimbra-patch package)
/opt/zimbra/common/lib/perl5/XML/SAX/ParserDetails.ini
/opt/zimbra/lib/ext/nginx-lookup/nginx-lookup.jar
root@Zimbra8-Mailstore2:/home/mhammett# ls -hal /opt/zimbra/jetty_base/webapps/zimbra/public/login.jsp
-rw-r--r-- 1 zimbra zimbra 40K Jun 14 02:37 /opt/zimbra/jetty_base/webapps/zimbra/public/login.jsp
root@Zimbra8-Mailstore2:/home/mhammett# md5sum /opt/zimbra/jetty_base/webapps/zimbra/public/login.jsp
e82ea1127ac694dc63d937a72a042977 /opt/zimbra/jetty_base/webapps/zimbra/public/login.jsp