Attacker managed to upload files into Web Client directory
-
- Posts: 6
- Joined: Fri Jun 17, 2016 6:05 am
- Location: Malaysia
- ZCS/ZD Version: Zimbra 10
- Contact:
Re: Attacker managed to upload files into Web Client directory
Please also check if your domain has zimbraPreAuthKey added.
$ zmprov gad -e -v zimbraPreAuthKey
If you have it, ask yourself if you are really using it for SSO integration. If not, it is likely added by attacker for remote login into any user like "View Mail" feature in Admin Console. You can close the port 7071 and 9071 from the public network to prevent the use of this preauth feature.
To remove the preauth key added to your domain,
$ zmprov md the_domain zimbraPreAuthKey ''
Hope this help.
$ zmprov gad -e -v zimbraPreAuthKey
If you have it, ask yourself if you are really using it for SSO integration. If not, it is likely added by attacker for remote login into any user like "View Mail" feature in Admin Console. You can close the port 7071 and 9071 from the public network to prevent the use of this preauth feature.
To remove the preauth key added to your domain,
$ zmprov md the_domain zimbraPreAuthKey ''
Hope this help.
Re: Attacker managed to upload files into Web Client directory
Hello All,
I fear that we may have fallen victim to this exploit.
Just looking for a little information here, is it known what the goal of this exploit is, what are they looking to gain? What is it's purpose?
Other than that, is there anything on cleanup?
We are planning to patch to 34 and I have deleted the files which in my case were:
/home/zimbra/jetty_base/webapps/zimbraAdmin/skins/vami2/index.jsp
/home/zimbra/jetty_base/webapps/zimbraAdmin/skins/vami2/jindex.jsp
Are those legit files that were altered? These were the problem files picked up by Sophos.
I have opened a ticket with Zimbra on steps for cleaning but I'm looking for any advice in the meantime.
Thanks,
I fear that we may have fallen victim to this exploit.
Just looking for a little information here, is it known what the goal of this exploit is, what are they looking to gain? What is it's purpose?
Other than that, is there anything on cleanup?
We are planning to patch to 34 and I have deleted the files which in my case were:
/home/zimbra/jetty_base/webapps/zimbraAdmin/skins/vami2/index.jsp
/home/zimbra/jetty_base/webapps/zimbraAdmin/skins/vami2/jindex.jsp
Are those legit files that were altered? These were the problem files picked up by Sophos.
I have opened a ticket with Zimbra on steps for cleaning but I'm looking for any advice in the meantime.
Thanks,
-
- Posts: 7
- Joined: Thu Oct 20, 2022 7:07 pm
Re: Attacker managed to upload files into Web Client directory
Hey guys.
I am joining the "party" as well.
In addition to the already mentioned files and locations, i am going to add the following:
First affected VM: - same SHA256 sum.
Timestamp is 12.06.2022.
- same file names and SHA256 sum as it would be in the parent directory, but are instead here.
Timestamps are from 05.10.2022.
There were no changes in the sshd_config.
There were no SSH keys added.
There were no iptables rules added.
There was nothing in /tmp folder.
There was no bash history for any of the users with shell and home directory.
There were no cronjobs in /etc/crontab OR /var/spool/cron/* that were added/modified.
Zimbra Access/Trace logs shows requests hitting the files from 06.10.2022 onwards.
In addition to some of those IPs, new ones are:
91\.211\.88\.91
69\.10\.32\.6
In addition, seems like lots of requests in the logs are regarding "python-requests" module, with varying version specified, varying endpoint - different files.
Doing and then of whatever file name you see from the log grepping that ends with .jsp.
Some of them are:
The targeted context paths are :
2nd VM, this one is in Azure.
Essentials are the same.
BUT, there are more files in
Here we have the following ones:
Those are not present on my 1st VM.
They are all supposedly components of Jasper from Apache Tomcat, all having similar comment header.
I would like to know if those are okay files or not okay files.
They do not appear in the logs at all.
And the other thing that worries me is this:
I have bunch of these.
That private IP is the IP of the VM in Azure.
But this seems to match with supposedly default key in /opt/zimbra/.ssh/authorized_keys, which contains
Additional IPs of malicious requests:
EDIT: One of the RemoteShell malicous scripts being downloaded is here, in case someone needs to scan for particular contents:
(remove slashes and whitespace).
I have already reported ALL of the IPs with Abuse mails/forms and in the AbuseIPDB.
I am joining the "party" as well.
In addition to the already mentioned files and locations, i am going to add the following:
First affected VM:
Code: Select all
/opt/zimbra/jetty_base/webapps/zimbraAdmin/public/jsp/ZimbraBoot.jsp
Timestamp is 12.06.2022.
Code: Select all
/opt/zimbra/jetty/work/zimbra/jsp/org/apache/jsp/public_/jsp/
Timestamps are from 05.10.2022.
There were no changes in the sshd_config.
There were no SSH keys added.
There were no iptables rules added.
There was nothing in /tmp folder.
There was no bash history for any of the users with shell and home directory.
There were no cronjobs in /etc/crontab OR /var/spool/cron/* that were added/modified.
Zimbra Access/Trace logs shows requests hitting the files from 06.10.2022 onwards.
In addition to some of those IPs, new ones are:
91\.211\.88\.91
69\.10\.32\.6
In addition, seems like lots of requests in the logs are regarding "python-requests" module, with varying version specified, varying endpoint - different files.
Doing
Code: Select all
grep -R "python-requests" /opt/zimbra/log/ | grep jsp
Code: Select all
find /opt/zimbra/ | grep XXX
Some of them are:
Code: Select all
BRCT6N.jsp
ltyf022e.jsp
ShFgsr.jsp
sXxaBy.jsp
soUzLT.jsp
Zy0LkC.jsp
jyg59mdv.jsp
cmd.jsp
start.jsp
.error.jsp
readme.jsp
KGEYER.jsp
datetime.jsp
Code: Select all
/public/
/public/jsp/
/zimbraAdmin/
/zimbraAdmin/js/
/zimbraAdmin/js/zimbra/
/zimbraAdmin/public/
/zimbraAdmin/public/js
Essentials are the same.
BUT, there are more files in
Code: Select all
/opt/zimbra/jetty/work/zimbra/jsp/org/apache/jsp/public_/jsp/
Code: Select all
-rw-r----- 1 zimbra zimbra 24299 26 юли 18,29 Ajax_jsp.class
-rw-r----- 1 zimbra zimbra 36001 26 юли 18,29 Ajax_jsp.java
-rw-r----- 1 zimbra zimbra 7325 3 окт 14,18 Boot_jsp.class
-rw-r----- 1 zimbra zimbra 7501 3 окт 14,18 Boot_jsp.java
-rw-r----- 1 zimbra zimbra 6125 3 окт 14,18 Clipboard_jsp.class
-rw-r----- 1 zimbra zimbra 5359 3 окт 14,18 Clipboard_jsp.java
-rw-r----- 1 zimbra zimbra 6254 26 юли 18,29 Debug_jsp.class
-rw-r----- 1 zimbra zimbra 5621 26 юли 18,29 Debug_jsp.java
-rw-r----- 1 zimbra zimbra 6095 26 юли 18,29 Leaks_jsp.class
-rw-r----- 1 zimbra zimbra 5349 26 юли 18,29 Leaks_jsp.java
-rw-r----- 1 zimbra zimbra 7250 3 окт 14,18 Zimbra_jsp.class
-rw-r----- 1 zimbra zimbra 7301 3 окт 14,18 Zimbra_jsp.java
-rw-r----- 1 zimbra zimbra 6533 3 окт 14,18 ZimletApp_jsp.class
-rw-r----- 1 zimbra zimbra 5995 3 окт 14,18 ZimletApp_jsp.java
Code: Select all
-rw-r----- 1 zimbra zimbra 24299 26 юли 18,29 Ajax_jsp.class
-rw-r----- 1 zimbra zimbra 36001 26 юли 18,29 Ajax_jsp.java
-rw-r----- 1 zimbra zimbra 7325 3 окт 14,18 Boot_jsp.class
-rw-r----- 1 zimbra zimbra 7501 3 окт 14,18 Boot_jsp.java
-rw-r----- 1 zimbra zimbra 6254 26 юли 18,29 Debug_jsp.class
-rw-r----- 1 zimbra zimbra 5621 26 юли 18,29 Debug_jsp.java
-rw-r----- 1 zimbra zimbra 6095 26 юли 18,29 Leaks_jsp.class
-rw-r----- 1 zimbra zimbra 5349 26 юли 18,29 Leaks_jsp.java
I would like to know if those are okay files or not okay files.
They do not appear in the logs at all.
And the other thing that worries me is this:
Code: Select all
/var/log/secure-20221009:Oct 6 07:13:24 zmx sshd[4813]: Accepted publickey for zimbra from 10.1.0.5 port 39484 ssh2: RSA SHA256:uxEpsw4o/cmI03r2720IBr+oStDa/eZcr0dvI1XAJOs
That private IP is the IP of the VM in Azure.
But this seems to match with supposedly default key in /opt/zimbra/.ssh/authorized_keys, which contains
Code: Select all
command="/opt/zimbra/libexec/zmrcd" ssh-rsa XXXXXXX
Code: Select all
5\.22\.221\.115
5\.196\.4\.214
20\.14\.89\.126
45\.158\.38\.74
51\.75\.203\.239
68\.183.\112\.45
91\.235.\116\.123
92\.60\.40\.222
136\.144\.42\.70
136\.144\.42\.75
136\.144\.42\.202
142\.44\.137\.77
158\.247\.239\.163
176\.31\.235\.16
195\.201\.123\.142
209\.97\.137\.33
Code: Select all
46\.101\.183\.162/ .xx/ web
I have already reported ALL of the IPs with Abuse mails/forms and in the AbuseIPDB.
Last edited by georgi.yankov on Sat Oct 29, 2022 9:24 am, edited 1 time in total.
-
- Posts: 7
- Joined: Thu Oct 20, 2022 7:07 pm
Re: Attacker managed to upload files into Web Client directory
I think JSP files are supposed to be only in zimbra/jetty_base/webapps/zimbraAdmin/public/ folder, not in the skins.rbeach wrote:Hello All,
I fear that we may have fallen victim to this exploit.
Just looking for a little information here, is it known what the goal of this exploit is, what are they looking to gain? What is it's purpose?
Other than that, is there anything on cleanup?
We are planning to patch to 34 and I have deleted the files which in my case were:
/home/zimbra/jetty_base/webapps/zimbraAdmin/skins/vami2/index.jsp
/home/zimbra/jetty_base/webapps/zimbraAdmin/skins/vami2/jindex.jsp
Are those legit files that were altered? These were the problem files picked up by Sophos.
I have opened a ticket with Zimbra on steps for cleaning but I'm looking for any advice in the meantime.
Thanks,
So Sophos seems to have done its job correctly.
Re: Attacker managed to upload files into Web Client directory
Is there any listing of base Zimbra files that we can match our directories against?
- axslingr
- Outstanding Member
- Posts: 256
- Joined: Sat Sep 13, 2014 2:20 am
- ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU18.64 UBUNTU18
Re: Attacker managed to upload files into Web Client directory
https://wiki.zimbra.com/wiki/Default_Fi ... lic_Foldertwiggers wrote:Is there any listing of base Zimbra files that we can match our directories against?
Re: Attacker managed to upload files into Web Client directory
Running this will probably protect from similiar issue:
Code: Select all
chmod -Rc 555 /opt/zimbra/jetty/webapps/zimbra/public/ /opt/zimbra/jetty/webapps/zimbraAdmin/public/
-
- Advanced member
- Posts: 171
- Joined: Sat Sep 13, 2014 12:54 am
- Location: Netherlands
- ZCS/ZD Version: Ubuntu 18.04, 8.8.15_P43
- Contact:
Re: Attacker managed to upload files into Web Client directory
You may run into problems on upgrading the installation then. But, you do have a point. The topic of the 'webroot' and the whole '/opt/zimbra' being writeable by the webserver has been discussed. I don't remember where; if it was a ticket or just here on the forums. In my opinion, that change should be considered a security patch and given priority though. Because it really is a flaw.
Consider seriously: because of the history of exploits: block Zimbra web interface with VPN, firewall or HTTP proxy.
Re: Attacker managed to upload files into Web Client directory
I also found many files in /opt/zimbra/jetty/webapps/zimbra/
Is fixing file and folder permission(chmod -Rc 555) solve this issue ?
Or can get detail explanation of this vulnerability ?
To sole this issue manually.
My zimbra version on centos OS
Release 8.6.0_GA_1153.RHEL6_64_20141215151155 RHEL6_64 FOSS edition.
I am not interested to upgrade.
Is fixing file and folder permission(chmod -Rc 555) solve this issue ?
Or can get detail explanation of this vulnerability ?
To sole this issue manually.
My zimbra version on centos OS
Release 8.6.0_GA_1153.RHEL6_64_20141215151155 RHEL6_64 FOSS edition.
I am not interested to upgrade.
-
- Advanced member
- Posts: 171
- Joined: Sat Sep 13, 2014 12:54 am
- Location: Netherlands
- ZCS/ZD Version: Ubuntu 18.04, 8.8.15_P43
- Contact:
Re: Attacker managed to upload files into Web Client directory
You're only safe recourse then, is to do what I say in my signature: protect your web access with VPN, Firewall or HTTP proxy.
Consider seriously: because of the history of exploits: block Zimbra web interface with VPN, firewall or HTTP proxy.