Search found 124 matches

by maxxer
Tue Apr 09, 2019 4:20 pm
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited
Replies: 239
Views: 128319

Re: CVE-2019-9670 being actively exploited

I myself found also some .class files named after the compromised .java ones
by maxxer
Tue Apr 09, 2019 3:09 pm
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited
Replies: 239
Views: 128319

Re: CVE-2019-9670 being actively exploited

You cab also search for recent files using find /opt/zimbra/jetty/ -name "*.jsp" -mtime -15 -ls Other than this users found malicious .java files . Additionally to the one above also this find should be run: find /opt/zimbra/jetty/ -name "*_jsp.java" -mtime -15 -ls
by maxxer
Tue Apr 09, 2019 9:16 am
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited
Replies: 239
Views: 128319

Re: CVE-2019-9670 being actively exploited

yeeP6rai wrote:Is there way to know about new patches (via rss, maillist, zabbix web page monitor, etc) for specific zimbra version?

rss: https://blog.zimbra.com/
by maxxer
Fri Apr 05, 2019 4:04 pm
Forum: Administrators
Topic: fail2ban setting 8.8.9 / Ubuntu 16.04
Replies: 2
Views: 1072

Re: fail2ban setting 8.8.9 / Ubuntu 16.04

Follow this blog post: https://www.missioncriticalemail.com/2018/10/19/using-zimbras-dosfilter-and-failed-login-lockout-policy-together/ That, together with the postfix, postfix-auth, and postfix-sasl jalls that come with fail2ban, is all I use. Lance this is very useful, thank to the precious work...
by maxxer
Fri Apr 05, 2019 9:01 am
Forum: Installation and Upgrade
Topic: Installing Zimbra 8.8.12_GA_3794 on Ubuntu 18.04
Replies: 33
Views: 16724

Re: Installing Zimbra 8.8.12_GA_3794 on Ubuntu 18.04

axslingr wrote:They're indicating that 18.04 support is still in beta though!


unfortunately they forgot to add the beta badge to the download page. If you can add this note to the ticket it can help others.
by maxxer
Thu Apr 04, 2019 1:37 pm
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited
Replies: 239
Views: 128319

Re: CVE-2019-9670 being actively exploited

There's an ongoing discussion on IRC. Some are investigating further, because other than creating and deleting temporary account some found evidence of deleted production accounts and compromised java files.

More updates will follow
by maxxer
Thu Apr 04, 2019 1:03 pm
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited
Replies: 239
Views: 128319

Re: CVE-2019-9670 being actively exploited

Virustotal detects zmcat as a Bitcon miner.

The tmp.txt is not uploaded but downloaded: it's the JSP they use to run commands.
by maxxer
Thu Apr 04, 2019 10:07 am
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited
Replies: 239
Views: 128319

Re: CVE-2019-9670 being actively exploited

Hostsailor replied me they blocked the host currently distributing zmcat!
by maxxer
Thu Apr 04, 2019 7:33 am
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited
Replies: 239
Views: 128319

Re: CVE-2019-9670 being actively exploited

I haven't had the chance to test with modsecurity. Will give a look, thanks.

I wrote some guidelines on the behaviour of the attack and how to clean zmcat.

In short:
patch
kill running processes for l.sh and s.sh and zmcat
remove scripts and zmcat
remove uploaded jsps
by maxxer
Wed Apr 03, 2019 2:32 pm
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited
Replies: 239
Views: 128319

CVE-2019-9670 being actively exploited

As many repoted on IRC, the latest security bug found in Zimbra is being actively exploited in the wild. It's easy to find a compromised install because the exploit campaign creates /tmp/zmcat binary on the system. It also downloads two .sh files used to fetch the binary from 185[.]106.120.118. This...

Go to advanced search