Search found 11 matches

by tin
Tue May 28, 2019 1:04 am
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited
Replies: 239
Views: 140123

Re: CVE-2019-9670 being actively exploited

Have a read over the whole thread.... I'll give a few thoughts here, but this is not everything... You've most likely got a cron job re-downloading the malicious script. There may also be malicious js files scattered through the jetty/webapps folders. I found uninstalling wget and curl stopped the s...
by tin
Wed May 22, 2019 3:40 am
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited
Replies: 239
Views: 140123

Re: CVE-2019-9670 being actively exploited

I just checked our backups from the day our web interface was broken... Not sure if it's a backup from while it was broken or not, but I found this: Only in webapps/zimbra/downloads: 05x6.jsp Only in webapps/zimbra/downloads: 51Qi.jsp Only in webapps/zimbra/downloads: jfyJ.jsp Only in webapps/zimbra...
by tin
Sat May 18, 2019 3:02 am
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited
Replies: 239
Views: 140123

Re: CVE-2019-9670 being actively exploited

403 could be damaged webapps (cant think of the exact path off the top of my head) folder. We had to replace ours from a backup after mystery jsp files appeared. Rename the current folder (while zimbra is stopped) and put the backup from before it broke in place (remember to check permissions too). ...
by tin
Fri May 10, 2019 3:13 am
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited
Replies: 239
Views: 140123

Re: CVE-2019-9670 being actively exploited

We had no *known* signs of damage when we patched. I checked the entire list known at the time and saw no matching symptoms. It was about 3 days after that some additional files appeared. And then a few days later, more changes (including the cron job). Our server does not have SSH access from outsi...
by tin
Fri May 03, 2019 5:01 am
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited
Replies: 239
Views: 140123

Re: CVE-2019-9670 being actively exploited

I just found more modified files on our server (8.7 patched).... That appeared today, modified about 20 minutes ago (right while I was catching up on this thread, ironically). And /var/tmp/zmcat has now appeared. This was not present when we patched, nor was it present when we found our web interfac...
by tin
Mon Apr 29, 2019 4:48 am
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited
Replies: 239
Views: 140123

Re: CVE-2019-9670 being actively exploited

We're running 8.7.11. I will probably restore the jetty folder from a backup on Monday. Or is that a bad idea? Well, I renamed the old "webapps" directory, made a new empty one, and restored just that folder... Got the web interface back to working... For us anyway. I'm not convinced we'r...
by tin
Sat Apr 27, 2019 11:08 am
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited
Replies: 239
Views: 140123

Re: CVE-2019-9670 being actively exploited

I'm fairly sure there was nothing wrong with ports - we'd had a similar 403 issue last year that was caused by wrong ports.... This time it looks like the exploit has broken the web interface, and being the weekend I haven't looked into it yet. Monday job.
by tin
Fri Apr 26, 2019 10:56 am
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited
Replies: 239
Views: 140123

Re: CVE-2019-9670 being actively exploited

maxxer wrote:
tin wrote:Is there another exploit/bug?


If you're on 8.6 there's an additional patch (P14) for IMAP


We're running 8.7.11. I will probably restore the jetty folder from a backup on Monday. Or is that a bad idea?
by tin
Fri Apr 26, 2019 8:30 am
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited
Replies: 239
Views: 140123

Re: CVE-2019-9670 being actively exploited

So I patched and restarted the server on Monday night... Seemed to work, and all was working on Tuesday. Today I got a call asking if I knew why it was coming up with 403 (which it certainly wasn't on Tuesday). After much reading of logs and looking at whether ports were misconfigured, I decided to ...
by tin
Mon Apr 22, 2019 4:42 am
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited
Replies: 239
Views: 140123

Re: CVE-2019-9670 being actively exploited

Can anyone give a quick description of how this exploit happens?
Does it require a valid authenticated user to happen?

Go to advanced search