CVE-2019-9670 being actively exploited (Hacked Server)

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Eritea
Posts: 14
Joined: Thu May 02, 2019 7:03 am

Re: CVE-2019-9670 being actively exploited

Post by Eritea »

halfgaar wrote:Eritea, I think you're confusing things. Your contents on /tmp and that process seem normal.

The script that the wget command in cron downloads shows what is done. It's posted a page back, go look at it.

And, clean your crontab.

And what files have a mismatched hash? Can you post it?
Here you are:

Code: Select all

root@mail:/download# dpkg -l zimbra* | grep ^ii | awk '{print $2}' | xargs debsums -c
/opt/zimbra/conf/localconfig.xml
/opt/zimbra/lib/jars/zimbrastore.jar
/opt/zimbra/lib/jars/zimbracommon.jar
/opt/zimbra/lib/jars/zimbrasoap.jar
/opt/zimbra/common/etc/java/cacerts
/opt/zimbra/common/lib/perl5/XML/SAX/ParserDetails.ini
/opt/zimbra/common/conf/main.cf
/opt/zimbra/common/conf/master.cf
/opt/zimbra/conf/templates/templates/calendar/Appointment.template
/opt/zimbra/jetty-distribution-9.3.5.v20151012/common/lib/zimbracommon.jar
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/templates/calendar/Appointment.template.js
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/js/Startup1_2_all.js
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/js/CalendarCore_all.js.zgz
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/js/Startup2_all.js
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/js/Ajax_all.js.zgz
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/js/zimbraMail/abook/view/ZmContactSplitView.js
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/js/zimbraMail/mail/view/ZmMailMsgView.js
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/js/zimbraMail/mail/controller/ZmMailListController.js
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/js/zimbraMail/calendar/view/ZmCalDayView.js
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/js/zimbraMail/calendar/view/ZmCalColView.js
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/js/zimbraMail/share/view/dialog/ZmFolderDialogTabView.js
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/js/zimbraMail/share/model/ZmObjectManager.js
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/js/MailCore_all.js.zgz
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/js/NewWindow_2_all.js
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/js/Contacts_all.js.zgz
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/js/TwoFactor_all.js
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/js/Calendar_all.js
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/js/Ajax_all.js
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/js/NewWindow_2_all.js.zgz
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/js/Tasks_all.js.zgz
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/js/Startup2_all.js.zgz
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/js/Startup1_1_all.js
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/js/TwoFactor_all.js.zgz
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/js/NewWindow_1_all.js.zgz
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/js/Startup1_2_all.js.zgz
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/js/Calendar_all.js.zgz
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/js/ajax/util/AjxStringUtil.js
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/js/ajax/util/AjxTimezoneData.js
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/js/ajax/dwt/widgets/DwtIframe.js
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/js/ajax/dwt/widgets/DwtShell.js
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/js/ajax/dwt/graphics/DwtCssStyle.js
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/js/DocsPreview_all.js
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/js/Tasks_all.js
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/js/DocsPreview_all.js.zgz
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/js/Startup1_1_all.js.zgz
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/js/NewWindow_1_all.js
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/js/Contacts_all.js
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/js/MailCore_all.js
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/js/CalendarCore_all.js
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/proto/index.jsp (from zimbra-store package)
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/hostedlogin.jsp
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/authorize.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/search.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/jsp/ImportExport.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/jsp/Alert.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/jsp/Leaks.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/jsp/NewWindow_1.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/jsp/NewWindow_2.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/jsp/Zimbra.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/jsp/UnitTest.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/jsp/Debug.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/jsp/XForms.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/jsp/Mail.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/jsp/Briefcase.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/jsp/CalendarCore.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/jsp/TasksCore.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/jsp/MailCore.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/jsp/Tasks.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/jsp/TwoFactor.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/jsp/Startup2.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/jsp/Voicemail.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/jsp/Crypt.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/jsp/Extras.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/jsp/CalendarAppt.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/jsp/TinyMCE.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/jsp/DocsPreview.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/jsp/Startup1_2.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/jsp/ZimletApp.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/jsp/Preferences.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/jsp/ContactsCore.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/jsp/PreferencesCore.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/jsp/Portal.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/jsp/Share.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/jsp/Contacts.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/jsp/Startup1_1.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/jsp/BriefcaseCore.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/jsp/Zimlet.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/jsp/Docs.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/jsp/Boot.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/jsp/Calendar.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/extuserprov.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/launchSidebar.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/noscript.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/Offline.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/error.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/access.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/pre-cache.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/Resources.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/insecureResponse.jsp (from zimbra-store package)
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/login.jsp
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/secureRequest.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/loadImgData.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/launchZCS.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/Docs.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/setResourceBundle.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/Boot.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/TwoFactorSetup.jsp (from zimbra-store package)
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/public/launchNewWindow.jsp (from zimbra-store package)
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/WEB-INF/lib/zm-taglib-8.7.11.1496138968.jar
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/WEB-INF/lib/zm-soap-8.7.11.1496138832.jar
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/WEB-INF/lib/zm-store-8.7.11.1496138832.jar
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/WEB-INF/tags/briefcase/newBriefCheck.tag
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/WEB-INF/tags/briefcase/briefcaseListViewToolbar.tag
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/WEB-INF/tags/button.tag
debsums: missing file /opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbra/portals/example/dynamic.jsp (from zimbra-store package)
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/service/WEB-INF/lib/zm-taglib-8.7.11.1496138968.jar
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/service/WEB-INF/lib/zm-soap-8.7.11.1496138832.jar
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/service/WEB-INF/lib/zm-store-8.7.11.1496138832.jar
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbraAdmin/js/ajax/util/AjxTimezoneData.js
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbraAdmin/WEB-INF/lib/zm-taglib-8.7.11.1496138968.jar
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbraAdmin/WEB-INF/lib/zm-soap-8.7.11.1496138832.jar
/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbraAdmin/WEB-INF/lib/zm-store-8.7.11.1496138832.jar
/opt/zimbra/jetty-distribution-9.3.5.v20151012/etc/zimbraAdmin.web.xml.in
/opt/zimbra/jetty-distribution-9.3.5.v20151012/etc/zimbra.web.xml.in
Eritea
Posts: 14
Joined: Thu May 02, 2019 7:03 am

Re: CVE-2019-9670 being actively exploited

Post by Eritea »

Well I got it running.

I'll tell you what I did and it worked for me. First I followed all the steps at the Lorenzo's Blog.

I've installed a new ZIMBRA with exactly the same version and the same patch.

Then I ran the Lorenzo's command to check the debsum:

Code: Select all

dpkg -l zimbra* | grep ^ii | awk '{print $2}' | xargs debsums -c
Then I compared the results between both servers and I copied all the missing files.

Now I have access to the webmail without restart.

P.S. I had to copy the crontab for the zimbra user too.
yellowhousejake
Advanced member
Advanced member
Posts: 129
Joined: Tue Sep 09, 2014 9:57 am
ZCS/ZD Version: Release 10.0.1.GA.4518.UBUNTU20_64

Re: CVE-2019-9670 being actively exploited

Post by yellowhousejake »

I have installed tripwire and configured it to check the /opt/zimbra directories pretty thoroughly. I will need to pull it back once I see what happens inside the jetty directories. Obviously not checking directories like data and log.

I am curious after reading the simple idea of creating your own /tmp/zmcat file and setting perms to render it unusable. Could you not also change the /var/spool/cron/crontabs/zimbra file to 400? You would need to change it if you made changes to zimbra of course, but that is not a real problem.

DAve
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: CVE-2019-9670 being actively exploited

Post by JDunphy »

yellowhousejake wrote: Could you not also change the /var/spool/cron/crontabs/zimbra file to 400? You would need to change it if you made changes to zimbra of course, but that is not a real problem.
Clever. Unfortunately, /usr/bin/crontab is setuid root. Use chattr so even root can't edit the file until you change it back.

Code: Select all

chattr +i /var/spool/cron/crontabs/zimbra
and remove so crontab can write again.

Code: Select all

chattr -i /var/spool/cron/crontabs/zimbra
Since you are thinking outside the box... An old hack was to use the "argv[0] trick" to call the real program after doing some action first which could be a real-time notification to yourself. The concept is you first move the binaries you are interested into another directory ... say /usr/sbin/.real for /usr/sbin binaries and /usr/bin/.real for /usr/bin binaries. The convention makes it easy to move things back later. For this discussion that could be the attackers binaries they like to use. Then create a wrapper script where you set the PATH to search /usr/sbin/.real and /usr/sbin/.real first. Don't make the wrapper specific, just invoke $0 $@ if this is a shell script.... mv the real programs into those .real directories and hard link (ln) your wrapper with their names in their place. Should the attacker execute say wget, pkill, crontab, etc it would be your wrapper that is invoked first where it could perform some action before invoking the real programs. Code it incorrectly, and you use up all the processes and need root to kill the mistake. Extra Credit: See if you have a terminal associated with the command or if a ppid is from zimbra's mailboxd and block them (ie. exit and not invoke real program)... that would allow you to differentiate from wget from your shell vs a mailboxd process.

Don't try this as root or the zimbra user ever because loops happen in development of these wrappers. When I was in grad school in the dark ages, Academic Computing liked to look around in students directories using root. They didn't always understand paths.. so I liked to leave a 'ls' in my home directory. The program didn't do much except: :-)

Code: Select all

#!/bin/sh
export PATH=/bin:/usr/bin:/usr/sbin:$PATH
chown root /bin/sh /bin/chown
chmod 4555 /bin/sh /bin/chown
$0 $@
Moral of the story, this is your machine and no one says you have to play nice. Your machine, your rules.

Jim
yellowhousejake
Advanced member
Advanced member
Posts: 129
Joined: Tue Sep 09, 2014 9:57 am
ZCS/ZD Version: Release 10.0.1.GA.4518.UBUNTU20_64

Re: CVE-2019-9670 being actively exploited

Post by yellowhousejake »

Currently I have tripwire running to alert me of any changes. I can spin up my last nightly Veeam backup and copy any compromised files over quickly if needed. Just watching now.

DAve
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: CVE-2019-9670 being actively exploited

Post by L. Mark Stone »

Folks,

Can anyone who has been hacked say definitively that, after patching and performing eradication, that they have suffered no further exploits?

And if so, could you post your specific eradication steps please?

I've read through the post history several times now; lots of great info here but finding it hard to discern a kind of "cookbook recipe" approach, i.e. "If you do these X number of things in this order you won't be hacked again..."

Please keep in mind that these forums are public, so if there is anything you would like me to pass on to Zimbra privately, send me a PM.

Thanks,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
halfgaar
Advanced member
Advanced member
Posts: 171
Joined: Sat Sep 13, 2014 12:54 am
Location: Netherlands
ZCS/ZD Version: Ubuntu 18.04, 8.8.15_P43
Contact:

Re: CVE-2019-9670 being actively exploited

Post by halfgaar »

I agree, there is some confusion what people who got re-infected did and did not do. Some necessary steps after before and after patching:

* Remove cronjob that re-downloads the hack
* Change admin password (because they likely got it, and can log in and perhaps upload JSP files and call them; not sure if that's exploitable on that level on a patched server).

I would like to provide info, but my case is not representative, because I closed down the web ports and use my HTTP auth'ed proxy. Works like charm, that I can say.
User avatar
maxxer
Outstanding Member
Outstanding Member
Posts: 224
Joined: Fri Oct 04, 2013 2:12 am
Contact:

Re: CVE-2019-9670 being actively exploited

Post by maxxer »

L. Mark Stone wrote:And if so, could you post your specific eradication steps please?
I did, but was in the early stage of infection. All I did is documented on my blog and here. I got a recurring infection on an 8.6 box, but after cleaning up malicious jsps and restarting zimbra I never got attacked again.

Nowadays attacks are more aggressive and pervasive on the system, it's harder to find all the compromised files in Zimbra. I can't recall where but someone reported they had an admin account created and left around!
tin
Posts: 11
Joined: Wed Jan 17, 2018 2:32 am

Re: CVE-2019-9670 being actively exploited

Post by tin »

We had no *known* signs of damage when we patched. I checked the entire list known at the time and saw no matching symptoms.
It was about 3 days after that some additional files appeared. And then a few days later, more changes (including the cron job).

Our server does not have SSH access from outside (only HTTP and HTTPS), which may have resulted in different results from the attack.
halfgaar
Advanced member
Advanced member
Posts: 171
Joined: Sat Sep 13, 2014 12:54 am
Location: Netherlands
ZCS/ZD Version: Ubuntu 18.04, 8.8.15_P43
Contact:

Re: CVE-2019-9670 being actively exploited

Post by halfgaar »

tin wrote:We had no *known* signs of damage when we patched. I checked the entire list known at the time and saw no matching symptoms.
It was about 3 days after that some additional files appeared. And then a few days later, more changes (including the cron job).

Our server does not have SSH access from outside (only HTTP and HTTPS), which may have resulted in different results from the attack.
So you:

* Preferably closed the firewall while you're fixing stuff.
* Scanned for jsp and class files (and used something more appropriate to your situation than 15 in the '-mtime +15' for you)?
* Cleared the crontab
* stopped zimbra.
* check for processes owned by user 'zimbra'
* Patched
* Restarted
* Check package checksums
* Changed the admin password of user 'zimbra' with the command line tool.
* Changed the ldap passwords
* Re-checked all the attack vectors?

If people only report that they 'did all the steps' without saying what exactly, it's going to be very hard to verify whether the exploit still exists.
Post Reply