CVE-2019-9670 being actively exploited

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
marnellej
Posts: 8
Joined: Sat Sep 13, 2014 2:05 am

Re: CVE-2019-9670 being actively exploited

Postby marnellej » Sun Jun 02, 2019 10:58 pm

Hello Sirs,

Found a new script that was added to my CRONTAB, trired removing it but unless we find the source, I'm afraid it will just come back to wreck havok on our system. Any ideas ?

#crontab -l-u zimbra
*/60 * * * * /opt/zimbra/lib/zmcheckexpiredcerts

# ls -la /opt/zimbra/lib/zmcheckexpiredcerts
-rwxr-x--- 1 zimbra zimbra 64728 Jun 3 06:24 /opt/zimbra/lib/zmcheckexpiredcerts

# more /opt/zimbra/lib/zmcheckexpiredcerts
******** /opt/zimbra/lib/zmcheckexpiredcerts: Not a text file ********


phoenix
Ambassador
Ambassador
Posts: 26341
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: CVE-2019-9670 being actively exploited

Postby phoenix » Mon Jun 03, 2019 5:21 am

marnellej wrote:Found a new script that was added to my CRONTAB, trired removing it but unless we find the source, I'm afraid it will just come back to wreck havok on our system.
Have you considered moiving ZCS config and users to a new ZCS installation? That's easily done with the ZeXtras Migration Tool, it will copy all your users and the ZCS config and none of the current problems you have and you can get yourself onto the most recent ZCS 8.8.12.
Regards

Bill

Rspamd: A high performance spamassassin replacement

If you'd like to see this implemented in a future version of ZCS then please vote on Bugzilla entries 97706 & 108168
fcourtaud
Posts: 2
Joined: Thu May 30, 2019 10:29 am

Re: CVE-2019-9670 being actively exploited

Postby fcourtaud » Mon Jun 03, 2019 8:58 am

jaca_sv wrote:
fcourtaud wrote:Clean all of the .jsp, .java and .class you'll find with

Hello fcourtaud,
By "clean all of the .jsp, .java and .class" do you mean delete the suspicious lines or completely delete the files?
All the files found with "request\.getParameter" are not supposed to be in the server?



Hi jaca_sv.

The best thing is to setup a brand new zimbra (same version) and compare all of the files listed between both installs.
Remove the ones only present on the infected machine and copy the others.

Someone on the forum used this command
grep "if.*equals(" -R /opt/zimbra/mailboxd/

that returns a lot of lines look for the ones looking like
:if ( "YuJb8NsE6pVFNish3_leYERZRwt4Za27GVdS4H2lNZM" .equals(
the string YuJb8NsE6pVFNish3_leYERZRwt4Za27GVdS4H2lNZM won't be the same

Then grep "string found earlier" -R /opt/zimbra/mailboxd
grep "string found earlier" -R /opt/zimbra/jetty

and so on...
Tedd_DSI
Posts: 2
Joined: Mon May 27, 2019 7:12 am

Re: CVE-2019-9670 being actively exploited

Postby Tedd_DSI » Mon Jun 03, 2019 1:55 pm

phoenix wrote:
marnellej wrote:Found a new script that was added to my CRONTAB, trired removing it but unless we find the source, I'm afraid it will just come back to wreck havok on our system.
Have you considered moiving ZCS config and users to a new ZCS installation? That's easily done with the ZeXtras Migration Tool, it will copy all your users and the ZCS config and none of the current problems you have and you can get yourself onto the most recent ZCS 8.8.12.


Hello Bill,

it's easy, however, it is expensive with many Mailboxes.
600 Mailboxes -> 5000$ per years :roll:
it's not so easy

Tedd
User avatar
zimico
Advanced member
Advanced member
Posts: 142
Joined: Mon Nov 14, 2016 8:03 am
Location: Vietnam
ZCS/ZD Version: 8.8.12
Contact:

Re: CVE-2019-9670 being actively exploited

Postby zimico » Mon Jun 03, 2019 6:12 pm

Hi Tedd,
Migrate to new server is recommended by zimbra support team. Why does it cost you $5000 per year? There are several supported ways to do migration. You can use imapsync for free, for example.
Regards,
Minh.
scrubudu
Posts: 4
Joined: Mon Jun 03, 2019 9:12 pm

Re: CVE-2019-9670 being actively exploited

Postby scrubudu » Mon Jun 03, 2019 9:27 pm

Hello,

got hacked too. dealing with it since 28th May, and till i got some time to install a new VM and upgrade till the last version.. to 8.6 P4 then 8.6 P14 and finally the very last major version...job which will begin tomorrow.
I patched onto p14 too late, system was already hacked... no "/opt/zimbra" backups.. only mailboxes..
(i got zmswatch -.sh etc.. and zmcheckexpiredcerts too since today .. )

Question about upgrading a new system from full export backup : >> That's easily done with the ZeXtras Migration Tool

Is that tool enable for this version ?
--> Release 8.6.0.GA.1153.UBUNTU14.64 UBUNTU14_64 FOSS edition, Patch 8.6.0_P14

Was 8.6 NETWORK edition on P4 before patching, and will certainly be on the future system restored before upgrade.

Thank you in advance if replies about this tool. I will try to find out anyway tomorrow... already read that it shouls be a slow upgrade.. : like -> 8.6, then 8.7.11.. then the next again etc..

Would like to upgrade as soon and fast as possible ^^
regards,

Scrubudu
User avatar
zimico
Advanced member
Advanced member
Posts: 142
Joined: Mon Nov 14, 2016 8:03 am
Location: Vietnam
ZCS/ZD Version: 8.8.12
Contact:

Re: CVE-2019-9670 being actively exploited

Postby zimico » Tue Jun 04, 2019 1:42 am

Hi,
With zextras migration tool you can migrate from 8.6 to 8.8.12 directly.
Best regards,
Minh
Drake
Posts: 8
Joined: Tue May 28, 2019 8:52 am

Re: CVE-2019-9670 being actively exploited

Postby Drake » Tue Jun 04, 2019 7:18 am

marnellej> I confirm i also had /opt/zimbra/lib/zmcheckexpiredcerts /opt/zimbra/lib/zmlogswatch and /opt/zimbra/lib/zmmailboxdwatch in some of my systems.
These files seems not to be destined there.

With Regards
fladnar
Posts: 15
Joined: Tue Jun 04, 2019 10:17 am

Re: CVE-2019-9670 being actively exploited

Postby fladnar » Tue Jun 04, 2019 10:20 am

Drake wrote:marnellej> I confirm i also had /opt/zimbra/lib/zmcheckexpiredcerts /opt/zimbra/lib/zmlogswatch and /opt/zimbra/lib/zmmailboxdwatch in some of my systems.
These files seems not to be destined there.

With Regards


Same here, on an already patched 8.6 FOSS edition. I've re-cleaned and waiting to restart the server.
Media
Posts: 7
Joined: Wed May 24, 2017 1:49 pm

Re: CVE-2019-9670 being actively exploited

Postby Media » Tue Jun 04, 2019 3:51 pm

Hello, I just noticed that there are two zmcheckexpiredcerts files in my system :
a binary /opt/zimbra/lib/zmcheckexpiredcerts
and a script
/opt/zimbra/libexec/zmcheckexpiredcerts

*/60 * * * * /opt/zimbra/lib/zmcheckexpiredcerts was recently added at the end of /var/spool/cron/crontabs/zimbra
but in /opt/zimbra/zimbramon/crontabs/crontab there is

# SSL Certificate Expiration Checks
#
0 0 1 * * /opt/zimbra/libexec/zmcheckexpiredcerts -days 30 -email

I think the binary is a part of the exploit and the script should be a part of Zimbra.
Can someone confirm it ?

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 16 guests