CVE-2019-9670 being actively exploited (Hacked Server)

[fladnar]

Hello, I just noticed that there are two zmcheckexpiredcerts files in my system :


I think the binary is a part of the exploit and the script should be a part of Zimbra.
Can someone confirm it ?

In my system, its part of the exploit. If you remove it, it comes back after 5-10 seconds.
You can touch a file with same name and apply a chmod 000 and chattr +i to keep the file appearing.

[fladnar]

I've cleaned the miner, applied patch, rebooted, and don't see any rogue zmcat or zmswatch process...
One problem persists: Can't attach files over 100k in webmail. I've already fixed permissions...any ideas?

[phoenix]

I've cleaned the miner, applied patch, rebooted, and don't see any rogue zmcat or zmswatch process...
One problem persists: Can't attach files over 100k in webmail. I've already fixed permissions...any ideas?

You don't say what error you're seeing nor whether your setting for file upload size is correct on your server.

[fladnar]

I've cleaned the miner, applied patch, rebooted, and don't see any rogue zmcat or zmswatch process...
One problem persists: Can't attach files over 100k in webmail. I've already fixed permissions...any ideas?

You don't say what error you're seeing nor whether your setting for file upload size is correct on your server.

The error is a 500 critical error.
The size is correct.
NVM, i've applied the chmod 755 /opt/zimbra/data/tmp/ and chmod 755 /opt/zimbra/data/tmp/upload again and that fixed it.

Thanks!

[apiening]

Since it is very hard if not impossible to really be sure that the system is clean after removing the zmswatch binary and malicous scripts, I wonder how a reinstall could be done without loosing any data.

One option I see is to install another instance of zimbra and transfer all emails with imapsync. This would require to re-create all users and transfer every mailbox. A lot of work, not to mention that this would only transfer mailboxes. All settings, calendar entries etc. would be lost.

Would it be possible to do a clean install, copy the mail storage folder over (for example with rsync) and do a mysqldump of the DB and a slapcat of the LDAP server and restore them on the fresh install?
After changing the LDAP and admin password and removing unknown accounts from zimbra it would be a cleaner approach then searching for jsp and java files in several folders where it is easy to overlook changed files.

Any thoughts?

[phoenix]

Would it be possible to do a clean install, copy the mail storage folder over (for example with rsync) and do a mysqldump of the DB and a slapcat of the LDAP server and restore them on the fresh install?

Use the ZeXtras Migration Tool, it' s free to use, quick to do and easy and it has been mentioned all over these forums for many years.

[apiening]

Would it be possible to do a clean install, copy the mail storage folder over (for example with rsync) and do a mysqldump of the DB and a slapcat of the LDAP server and restore them on the fresh install?

Use the ZeXtras Migration Tool, it' s free to use, quick to do and easy and it has been mentioned all over these forums for many years.

Thank you very much! This sounds great!
I just took a look at it and from my understanding I can download the ZeXtras Migration Tool for free, but I need to install the non free Zextras Suite on the new / target server in order to do the restore. Is this correct?
Can you tell if it is possible to install the 30 days trial, do the restore and then remove /uninstall the Zextras Suite?

[zimbraargentina]

I've want to know if someone has the jetty for versions 8.6 and 8.7.11 clean without malicious code and patch applied from clean install... to download and replace in my versions.
the problem with file upload persists....

thanks.

[scrubudu]

Hello,

between the time to restore a new system (Data transfer takes sometimes so much time... )

Yesterday I had some binary new file uploaded and working as the other (like zmcerts, zmswatch etc... ) in :

/opt/zimbra/cbpolicyd/bin/cbstat
(cbpolicyd is ln -s directory)

Got an old backup (hopefully... ) from last march updated to P14 and this file isn't from zimbra it seems.. furthemore, it is loading like the others to ~200% CPU.

A good way to know too is command :
#stat [file]

to know the real times more than ls -la ( or ls -lrt... )

Got to chattr +i more than one file or directory though this last days..
________

I'm searching for a exhaustive url that list every binary file that should be in zimbra, per version : specially binary files : does it exists ? (like zmbackup that is born with 8.7 --> Disaster recovery Tech Zimbra Post )..

Would be ideal if list of access made by each binary about r, w, or x too, in /opt/zimbra, and in other filesystem too ( /tmp etc... )

I searched, but perhaps not well.. or perhaps i'm being too idealistic about exhaustive documentation
--> didn't find it till today. (instead of special checksum from dpkg that does'nt consider special patches from tgz added afterwards...)

Bunches of people are asking if "this or that binary" should belong to the complete healthy Zimbra Suite.. should be great, as of for the last version.. instead of hours reading posts to try to get the sytem healthy.. (after taking Zimbra in charge after someone who did'nt do any system backup or security patches.. -> so well : for a newbie, like me about zimbra... )

Best regards, and good luck for the one who deal with it still this week !

PS : sorry for my english , hope it is understandable...

[scrubudu]

@zimbraargentina

i'm currently restoring a 8.6 P4 upgraded to 8.6 P14 before migration with rsync as of this post :
https://wiki.zimbra.com/wiki/Steps_To_R ... ZCS_Server

Hope it will work, (and that none of the binary file listed in this "howto" is compromised.. you should try it. Change all the passwords anyway (zmldappassword etc.. )

PostScriptum : zmbackup isn't available for 8.6 version.
PostScriptum2 : ZextraSuite seems heavy, and not being sure that the Trial will get the full backup from the free tool : "zextra migration tool", my first try will be with rsync.
--> is ZimbraSuite Trial working for a real restore from ZextraMigrationTool backup ? As really free ? (ZextraMigrationTool is free ok, but to import the backup, question is still there.. )

PS : and you are alright shell from the patch : [.install.sh] does'nt update the files anymore after begin passed only one time... ( like : checksum control with the patch... ) It apparently does just check the current version... if patched when already hacked.. this is useless indeed.

Regards,