Search found 96 matches

by maxxer
Fri Apr 12, 2019 2:41 am
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited
Replies: 25
Views: 17304

Re: CVE-2019-9670 being actively exploited

What about these files I don't know if they're original zimbra files or not, but I think so. Someone in IRC (can't recall exactly) raised the problem that some Zimbra original JSP file were touched by the infection. And it suggested to use package manager to verify file integrity. While I don't rec...
by maxxer
Tue Apr 09, 2019 8:12 pm
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited
Replies: 25
Views: 17304

Re: CVE-2019-9670 being actively exploited

yeeP6rai wrote:Yes... Thanks

along with them I found also some .class files with the same basename of .java
by maxxer
Tue Apr 09, 2019 4:20 pm
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited
Replies: 25
Views: 17304

Re: CVE-2019-9670 being actively exploited

I myself found also some .class files named after the compromised .java ones
by maxxer
Tue Apr 09, 2019 3:09 pm
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited
Replies: 25
Views: 17304

Re: CVE-2019-9670 being actively exploited

You cab also search for recent files using find /opt/zimbra/jetty/ -name "*.jsp" -mtime -15 -ls Other than this users found malicious .java files . Additionally to the one above also this find should be run: find /opt/zimbra/jetty/ -name "*_jsp.java" -mtime -15 -ls
by maxxer
Tue Apr 09, 2019 9:16 am
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited
Replies: 25
Views: 17304

Re: CVE-2019-9670 being actively exploited

yeeP6rai wrote:Is there way to know about new patches (via rss, maillist, zabbix web page monitor, etc) for specific zimbra version?

rss: https://blog.zimbra.com/
by maxxer
Fri Apr 05, 2019 4:04 pm
Forum: Administrators
Topic: fail2ban setting 8.8.9 / Ubuntu 16.04
Replies: 2
Views: 573

Re: fail2ban setting 8.8.9 / Ubuntu 16.04

Follow this blog post: https://www.missioncriticalemail.com/2018/10/19/using-zimbras-dosfilter-and-failed-login-lockout-policy-together/ That, together with the postfix, postfix-auth, and postfix-sasl jalls that come with fail2ban, is all I use. Lance this is very useful, thank to the precious work...
by maxxer
Fri Apr 05, 2019 9:01 am
Forum: Installation and Upgrade
Topic: Installing Zimbra 8.8.12_GA_3794 on Ubuntu 18.04
Replies: 18
Views: 4096

Re: Installing Zimbra 8.8.12_GA_3794 on Ubuntu 18.04

axslingr wrote:They're indicating that 18.04 support is still in beta though!


unfortunately they forgot to add the beta badge to the download page. If you can add this note to the ticket it can help others.
by maxxer
Thu Apr 04, 2019 1:37 pm
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited
Replies: 25
Views: 17304

Re: CVE-2019-9670 being actively exploited

There's an ongoing discussion on IRC. Some are investigating further, because other than creating and deleting temporary account some found evidence of deleted production accounts and compromised java files.

More updates will follow
by maxxer
Thu Apr 04, 2019 1:03 pm
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited
Replies: 25
Views: 17304

Re: CVE-2019-9670 being actively exploited

Virustotal detects zmcat as a Bitcon miner.

The tmp.txt is not uploaded but downloaded: it's the JSP they use to run commands.
by maxxer
Thu Apr 04, 2019 10:07 am
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited
Replies: 25
Views: 17304

Re: CVE-2019-9670 being actively exploited

Hostsailor replied me they blocked the host currently distributing zmcat!

Go to advanced search