Attacker managed to upload files into Web Client directory

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
yeak
Posts: 6
Joined: Fri Jun 17, 2016 6:05 am
Location: Malaysia
ZCS/ZD Version: Zimbra 10
Contact:

Re: Attacker managed to upload files into Web Client directory

Post by yeak »

Please also check if your domain has zimbraPreAuthKey added.

$ zmprov gad -e -v zimbraPreAuthKey

If you have it, ask yourself if you are really using it for SSO integration. If not, it is likely added by attacker for remote login into any user like "View Mail" feature in Admin Console. You can close the port 7071 and 9071 from the public network to prevent the use of this preauth feature.

To remove the preauth key added to your domain,

$ zmprov md the_domain zimbraPreAuthKey ''

Hope this help.
rbeach
Posts: 11
Joined: Wed Sep 23, 2015 9:11 am

Re: Attacker managed to upload files into Web Client directory

Post by rbeach »

Hello All,

I fear that we may have fallen victim to this exploit.

Just looking for a little information here, is it known what the goal of this exploit is, what are they looking to gain? What is it's purpose?

Other than that, is there anything on cleanup?

We are planning to patch to 34 and I have deleted the files which in my case were:

/home/zimbra/jetty_base/webapps/zimbraAdmin/skins/vami2/index.jsp
/home/zimbra/jetty_base/webapps/zimbraAdmin/skins/vami2/jindex.jsp

Are those legit files that were altered? These were the problem files picked up by Sophos.

I have opened a ticket with Zimbra on steps for cleaning but I'm looking for any advice in the meantime.

Thanks,
georgi.yankov
Posts: 7
Joined: Thu Oct 20, 2022 7:07 pm

Re: Attacker managed to upload files into Web Client directory

Post by georgi.yankov »

Hey guys.

I am joining the "party" as well.

In addition to the already mentioned files and locations, i am going to add the following:

First affected VM:

Code: Select all

/opt/zimbra/jetty_base/webapps/zimbraAdmin/public/jsp/ZimbraBoot.jsp
- same SHA256 sum.
Timestamp is 12.06.2022.

Code: Select all

/opt/zimbra/jetty/work/zimbra/jsp/org/apache/jsp/public_/jsp/
- same file names and SHA256 sum as it would be in the parent directory, but are instead here.
Timestamps are from 05.10.2022.

There were no changes in the sshd_config.
There were no SSH keys added.
There were no iptables rules added.
There was nothing in /tmp folder.
There was no bash history for any of the users with shell and home directory.
There were no cronjobs in /etc/crontab OR /var/spool/cron/* that were added/modified.

Zimbra Access/Trace logs shows requests hitting the files from 06.10.2022 onwards.

In addition to some of those IPs, new ones are:
91\.211\.88\.91
69\.10\.32\.6

In addition, seems like lots of requests in the logs are regarding "python-requests" module, with varying version specified, varying endpoint - different files.

Doing

Code: Select all

grep -R "python-requests"  /opt/zimbra/log/ | grep jsp
and then

Code: Select all

 find /opt/zimbra/ | grep XXX 
of whatever file name you see from the log grepping that ends with .jsp.
Some of them are:

Code: Select all

BRCT6N.jsp
ltyf022e.jsp
ShFgsr.jsp
sXxaBy.jsp
soUzLT.jsp
Zy0LkC.jsp
jyg59mdv.jsp
cmd.jsp
start.jsp
.error.jsp
readme.jsp
KGEYER.jsp
datetime.jsp
The targeted context paths are :

Code: Select all

/public/
/public/jsp/
/zimbraAdmin/
/zimbraAdmin/js/
/zimbraAdmin/js/zimbra/
/zimbraAdmin/public/
/zimbraAdmin/public/js
2nd VM, this one is in Azure.
Essentials are the same.
BUT, there are more files in

Code: Select all

/opt/zimbra/jetty/work/zimbra/jsp/org/apache/jsp/public_/jsp/
Here we have the following ones:

Code: Select all

-rw-r----- 1 zimbra zimbra 24299 26 юли 18,29 Ajax_jsp.class
-rw-r----- 1 zimbra zimbra 36001 26 юли 18,29 Ajax_jsp.java
-rw-r----- 1 zimbra zimbra  7325  3 окт 14,18 Boot_jsp.class
-rw-r----- 1 zimbra zimbra  7501  3 окт 14,18 Boot_jsp.java
-rw-r----- 1 zimbra zimbra  6125  3 окт 14,18 Clipboard_jsp.class
-rw-r----- 1 zimbra zimbra  5359  3 окт 14,18 Clipboard_jsp.java
-rw-r----- 1 zimbra zimbra  6254 26 юли 18,29 Debug_jsp.class
-rw-r----- 1 zimbra zimbra  5621 26 юли 18,29 Debug_jsp.java
-rw-r----- 1 zimbra zimbra  6095 26 юли 18,29 Leaks_jsp.class
-rw-r----- 1 zimbra zimbra  5349 26 юли 18,29 Leaks_jsp.java
-rw-r----- 1 zimbra zimbra  7250  3 окт 14,18 Zimbra_jsp.class
-rw-r----- 1 zimbra zimbra  7301  3 окт 14,18 Zimbra_jsp.java
-rw-r----- 1 zimbra zimbra  6533  3 окт 14,18 ZimletApp_jsp.class
-rw-r----- 1 zimbra zimbra  5995  3 окт 14,18 ZimletApp_jsp.java
Those are not present on my 1st VM.

Code: Select all

-rw-r----- 1 zimbra zimbra 24299 26 юли 18,29 Ajax_jsp.class
-rw-r----- 1 zimbra zimbra 36001 26 юли 18,29 Ajax_jsp.java
-rw-r----- 1 zimbra zimbra  7325  3 окт 14,18 Boot_jsp.class
-rw-r----- 1 zimbra zimbra  7501  3 окт 14,18 Boot_jsp.java
-rw-r----- 1 zimbra zimbra  6254 26 юли 18,29 Debug_jsp.class
-rw-r----- 1 zimbra zimbra  5621 26 юли 18,29 Debug_jsp.java
-rw-r----- 1 zimbra zimbra  6095 26 юли 18,29 Leaks_jsp.class
-rw-r----- 1 zimbra zimbra  5349 26 юли 18,29 Leaks_jsp.java
They are all supposedly components of Jasper from Apache Tomcat, all having similar comment header.
I would like to know if those are okay files or not okay files.
They do not appear in the logs at all.


And the other thing that worries me is this:

Code: Select all

/var/log/secure-20221009:Oct  6 07:13:24 zmx sshd[4813]: Accepted publickey for zimbra from 10.1.0.5 port 39484 ssh2: RSA SHA256:uxEpsw4o/cmI03r2720IBr+oStDa/eZcr0dvI1XAJOs
I have bunch of these.
That private IP is the IP of the VM in Azure.

But this seems to match with supposedly default key in /opt/zimbra/.ssh/authorized_keys, which contains

Code: Select all

command="/opt/zimbra/libexec/zmrcd" ssh-rsa XXXXXXX 
Additional IPs of malicious requests:

Code: Select all

5\.22\.221\.115
5\.196\.4\.214
20\.14\.89\.126
45\.158\.38\.74
51\.75\.203\.239
68\.183.\112\.45
91\.235.\116\.123
92\.60\.40\.222
136\.144\.42\.70
136\.144\.42\.75
136\.144\.42\.202
142\.44\.137\.77
158\.247\.239\.163
176\.31\.235\.16
195\.201\.123\.142
209\.97\.137\.33
EDIT: One of the RemoteShell malicous scripts being downloaded is here, in case someone needs to scan for particular contents:

Code: Select all

46\.101\.183\.162/ .xx/ web
(remove slashes and whitespace).

I have already reported ALL of the IPs with Abuse mails/forms and in the AbuseIPDB.
Last edited by georgi.yankov on Sat Oct 29, 2022 9:24 am, edited 1 time in total.
georgi.yankov
Posts: 7
Joined: Thu Oct 20, 2022 7:07 pm

Re: Attacker managed to upload files into Web Client directory

Post by georgi.yankov »

rbeach wrote:Hello All,

I fear that we may have fallen victim to this exploit.

Just looking for a little information here, is it known what the goal of this exploit is, what are they looking to gain? What is it's purpose?

Other than that, is there anything on cleanup?

We are planning to patch to 34 and I have deleted the files which in my case were:

/home/zimbra/jetty_base/webapps/zimbraAdmin/skins/vami2/index.jsp
/home/zimbra/jetty_base/webapps/zimbraAdmin/skins/vami2/jindex.jsp

Are those legit files that were altered? These were the problem files picked up by Sophos.

I have opened a ticket with Zimbra on steps for cleaning but I'm looking for any advice in the meantime.

Thanks,
I think JSP files are supposed to be only in zimbra/jetty_base/webapps/zimbraAdmin/public/ folder, not in the skins.

So Sophos seems to have done its job correctly.
twiggers
Posts: 7
Joined: Thu Aug 18, 2022 4:39 am

Re: Attacker managed to upload files into Web Client directory

Post by twiggers »

Is there any listing of base Zimbra files that we can match our directories against?
User avatar
axslingr
Outstanding Member
Outstanding Member
Posts: 256
Joined: Sat Sep 13, 2014 2:20 am
ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU18.64 UBUNTU18

Re: Attacker managed to upload files into Web Client directory

Post by axslingr »

twiggers wrote:Is there any listing of base Zimbra files that we can match our directories against?
https://wiki.zimbra.com/wiki/Default_Fi ... lic_Folder
zimbra900
Posts: 27
Joined: Wed May 24, 2023 11:05 am
ZCS/ZD Version: 10.0.4 FOSS

Re: Attacker managed to upload files into Web Client directory

Post by zimbra900 »

Running this will probably protect from similiar issue:

Code: Select all

chmod -Rc 555 /opt/zimbra/jetty/webapps/zimbra/public/ /opt/zimbra/jetty/webapps/zimbraAdmin/public/
halfgaar
Advanced member
Advanced member
Posts: 171
Joined: Sat Sep 13, 2014 12:54 am
Location: Netherlands
ZCS/ZD Version: Ubuntu 18.04, 8.8.15_P43
Contact:

Re: Attacker managed to upload files into Web Client directory

Post by halfgaar »

You may run into problems on upgrading the installation then. But, you do have a point. The topic of the 'webroot' and the whole '/opt/zimbra' being writeable by the webserver has been discussed. I don't remember where; if it was a ticket or just here on the forums. In my opinion, that change should be considered a security patch and given priority though. Because it really is a flaw.
Consider seriously: because of the history of exploits: block Zimbra web interface with VPN, firewall or HTTP proxy.
vipin65
Posts: 12
Joined: Sat Sep 13, 2014 1:20 am

Re: Attacker managed to upload files into Web Client directory

Post by vipin65 »

I also found many files in /opt/zimbra/jetty/webapps/zimbra/
Is fixing file and folder permission(chmod -Rc 555) solve this issue ?
Or can get detail explanation of this vulnerability ?
To sole this issue manually.
My zimbra version on centos OS
Release 8.6.0_GA_1153.RHEL6_64_20141215151155 RHEL6_64 FOSS edition.
I am not interested to upgrade.
halfgaar
Advanced member
Advanced member
Posts: 171
Joined: Sat Sep 13, 2014 12:54 am
Location: Netherlands
ZCS/ZD Version: Ubuntu 18.04, 8.8.15_P43
Contact:

Re: Attacker managed to upload files into Web Client directory

Post by halfgaar »

You're only safe recourse then, is to do what I say in my signature: protect your web access with VPN, Firewall or HTTP proxy.
Consider seriously: because of the history of exploits: block Zimbra web interface with VPN, firewall or HTTP proxy.
Post Reply