Page 23 of 24

Re: CVE-2019-9670 being actively exploited

Posted: Tue Jul 09, 2019 10:56 am
by phoenix
How about the info in this thread: https://forums.zimbra.org/viewtopic.php?f=15&t=66546

Re: CVE-2019-9670 being actively exploited

Posted: Tue Jul 09, 2019 10:02 pm
by Toru
Bill, thanks for the answer!

By thet time I didn’t have zmcpustater and zmcpustat files on my server.
I have earlier rbuild my crontab of Zimbra user like describe in this instructions https://wiki.zimbra.com/wiki/Step_to_re ... imbra_user
And this file include onnly a legal line:

Code: Select all

# Run zmgsaupdate util to trickeSync galsync accounts
#
 49 0 * * 7    /opt/zimbra/libexec/zmgsaupdate > /dev/null 2>&1


But all the same, I commented it out. (doubt it was a necessary step :) )

Memkesed I previously transferred to a localhost. Now i make change, and add lines to iptables.

Let's look at the result a little time later.

Re: CVE-2019-9670 being actively exploited

Posted: Wed Jul 10, 2019 7:39 am
by mqaroush
How can prevent Autodiscover

Code: Select all

[root@xxx tmp]# cat /opt/zimbra/log/access_log.2019-07-09 | grep pyth
113.196.70.24 -  -  [10/Jul/2019:02:29:55 +0000] "POST /Autodiscover/Autodiscover.xml HTTP/1.1" 400 345 "-" "python-requests/2.21.0" 85


Re: CVE-2019-9670 being actively exploited

Posted: Wed Jul 10, 2019 8:51 am
by phoenix
mqaroush wrote:How can prevent Autodiscover
Why, do you think it's a problem or is it causing you a problem?

Re: CVE-2019-9670 being actively exploited

Posted: Wed Jul 10, 2019 2:29 pm
by RomanI
I've been actively fighting an infection on an 8.6, patch 14 install - have followed the steps outlined and keep having this thing coming back.

Yesterday we had zmcpustat appear again. stopped the process, cleaned it, deleted the file, created a temp file with the same name, locked it using chattr, cleaned the crontab and today I've got zmiostat using up 1200% of the cpu...

we are migrating everything over to a new box (time consuming as we've got 300+ mailboxes and 3 TB of data) running 8.8, but in the meantime they still seem to be getting in on the old server...

Re: CVE-2019-9670 being actively exploited

Posted: Thu Jul 11, 2019 11:57 am
by rodrigoferra
Two days ago I was attacked by this bitcoin stuff.

Did every step necessary, patched the software, followed a lot of instructions... Currently, my zmopendkimctl is not running and the zmconfigd always seems to fail on start but later it's working.

First-time I'm facing something like this.

Best regard´s!

Re: CVE-2019-9670 being actively exploited

Posted: Thu Jul 11, 2019 2:11 pm
by RomanI
so the last attempt (yesterday) put a fake zmiostat into /tmp...

again cleaned that, created dummy file with the same name and them used chattr to lock it...

reset all zimbra passwords...

so far it's been clean through the night - but then we were also clear for close to a month after doing patch 14 and it then returned...

best bet as far as I can tell is still to build a new server and migrate everything over...

does anyone out there have a way to migrate contact data? (address, phone etc) - all the built in tools that I've seen don't allow access to that and I'm hesitant to start playing with the Ldap directly....

Re: CVE-2019-9670 being actively exploited

Posted: Thu Jul 11, 2019 2:41 pm
by phoenix
You can move all your current data and config to a new server with the ZeXtras Migration Tool, take a look at that.

Re: CVE-2019-9670 being actively exploited

Posted: Thu Jul 11, 2019 2:53 pm
by RomanI
"You can move all your current data and config to a new server with the ZeXtras Migration Tool, take a look at that."

the problem with that approach is that we've got way too much data and mailboxes to get it done quick enough. We are a 24/7 shop and any email downtime affects the bottom line...

the approach we ended up taking (since we were also migrating versions and core os) was to setup the new server, extract mailbox info, signatures etc - import back onto the new server, bring it online and now with the old server offline (but accessible so that staff can view old emails/contacts until their mailbox is queued to be imported) are exporting mailbox data and importing it back in batches...

all the scripts/tools that I've been using have worked very well - with the exception of the contact info - which for some reason I can't fathom - there are no cli tools to permit anyone to access,export or import....

Re: CVE-2019-9670 being actively exploited

Posted: Thu Jul 11, 2019 3:47 pm
by rodrigoferra
My currently situation is that everything seems to be back to normal.

- Applied the pacth 14;
- Searched for the files, found one file called Docs.js with some injection code on it, cleanned;
- A problem with DKIM and ipv6 after the patch;
- Renew all the keys and passwords.

The opendkim issue I solved with the link: https://sebastian.marsching.com/blog/ar ... erver.html

I installed the fail2ban too, too many tries at my postfix via SASL and renew the zimbra keys. My server is extremely closed now.