Search found 124 matches

by maxxer
Mon Apr 29, 2019 7:47 am
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited
Replies: 239
Views: 128785

Re: CVE-2019-9670 being actively exploited

How many accounts do you have? There is an account export function, per account, that you could use perhaps. It would be relatively easy to write a bash script to do that for all accounts. Like this in a loop: this is unreliable. see bgo#101760 . Nowadays better use ZeXtas migration tool, it's free...
by maxxer
Sat Apr 27, 2019 1:12 pm
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited
Replies: 239
Views: 128785

Re: CVE-2019-9670 being actively exploited

Looked for jsp files and didn't find anything suspicious around. Is there a way to prevent linux from creating the zmcat file for example? so that if deletes it immediately? Did you try the dpkg/rpm commands to check for modified files? To prevent zmcat creation create it yourself then chown root a...
by maxxer
Fri Apr 26, 2019 6:58 pm
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited
Replies: 239
Views: 128785

Re: CVE-2019-9670 being actively exploited

Has anyone with recurring infections checked if the attacker uploaded a key to /opt/zimbra/.ssh/authorized_keys? Or if there are remote ssh logins for the zimbra user?
by maxxer
Fri Apr 26, 2019 2:55 pm
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited
Replies: 239
Views: 128785

Re: CVE-2019-9670 being actively exploited

The infection is (obviously) start mutating: an user reported high cpu usage from /opt/zimbra/log/zmswatch binary
by maxxer
Fri Apr 26, 2019 12:12 pm
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited
Replies: 239
Views: 128785

Re: CVE-2019-9670 being actively exploited

uncelvel wrote:Hi Guy.
Some update for this Bug.
Now they are exists in

Code: Select all

/var/tmp
folder

you mean zmcat executable is being downloaded into that directory?
by maxxer
Fri Apr 26, 2019 8:36 am
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited
Replies: 239
Views: 128785

Re: CVE-2019-9670 being actively exploited

tin wrote:Is there another exploit/bug?


If you're on 8.6 there's an additional patch (P14) for IMAP
by maxxer
Wed Apr 24, 2019 1:54 pm
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited
Replies: 239
Views: 128785

Re: CVE-2019-9670 being actively exploited

I have followed https://lorenzo.mile.si/zimbra-cve-2019-9670-being-actively-exploited-how-to-clean-the-zmcat-infection/961/ to cleanup all malicious jsp files and patched the system. Did you try restarting Zimbra after removing all the crappy jsp/java files? I had a similar situation once and resta...
by maxxer
Mon Apr 22, 2019 6:39 am
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited
Replies: 239
Views: 128785

Re: CVE-2019-9670 being actively exploited

Can anyone give a quick description of how this exploit happens? Does it require a valid authenticated user to happen? if you have a vulnerable zimbra installation you're vulnerable, you cannot add mitigation (probably only a WAF could do something). there are several links in the thread with full ...
by maxxer
Fri Apr 12, 2019 2:41 am
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited
Replies: 239
Views: 128785

Re: CVE-2019-9670 being actively exploited

What about these files I don't know if they're original zimbra files or not, but I think so. Someone in IRC (can't recall exactly) raised the problem that some Zimbra original JSP file were touched by the infection. And it suggested to use package manager to verify file integrity. While I don't rec...
by maxxer
Tue Apr 09, 2019 8:12 pm
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited
Replies: 239
Views: 128785

Re: CVE-2019-9670 being actively exploited

yeeP6rai wrote:Yes... Thanks

along with them I found also some .class files with the same basename of .java

Go to advanced search