Zimbra AJAX Webmail not loading

conceicao_ti · Postby **conceicao_ti** » Tue May 28, 2019 6:30 pm

Ola, tive o mesmo problema a correção foi para o serviço do zimbra ver o que esta em execução no top -u zimbra, feito isso finalizar os processos pendentes, depois verificar as permissões dos arquivos com o comando
/opt/zimbra/libexec/zmfixperms -extended

excluir os executáveis
zmswatch.sh e kthrotlds
refazer a crontab do zimbra

willian.barker · Postby **willian.barker** » Tue May 28, 2019 6:45 pm

I meant to say it worked out for now. Until I find the correct way to fix the problem.

Do you have any method for me?
The process zmswatch using very high CPU.

Thank you.

MaySky · Postby **MaySky** » Tue May 28, 2019 6:52 pm

koval1986 wrote:Who managed to overcome ZMWATCH completely without return. I have 4 hours and everything comes back!

I am. 22 hours without virus already.
Found new intrusion attempts in logs, but all the files in jetty folder are as on newly installed system disconnected from internet and no strange activity in top.
tmp and log folder is ok also.
Reverted back standard cron tasks as per instruction https://wiki.zimbra.com/wiki/Step_to_re ... imbra_user
Cron file is untouched from that time also.

conceicao_ti · Postby **conceicao_ti** » Tue May 28, 2019 7:04 pm

Ola
olha só finaliza o processo zmswatch localiza o zmswatch.sh e deleta ele, bloqueia o ip tmb.

willian.barker wrote:I meant to say it worked out for now. Until I find the correct way to fix the problem.

Do you have any method for me?
The process zmswatch using very high CPU.

Thank you.

conceicao_ti · Postby **conceicao_ti** » Tue May 28, 2019 7:09 pm

Se você nao localizar o executável e vai voltar a alterar o crontab e deletar os paramentros do zimbra.

MaySky wrote:
koval1986 wrote:Who managed to overcome ZMWATCH completely without return. I have 4 hours and everything comes back!

I am. 22 hours without virus already.
Found new intrusion attempts in logs, but all the files in jetty folder are as on newly installed system disconnected from internet and no strange activity in top.
tmp and log folder is ok also.
Reverted back standard cron tasks as per instruction https://wiki.zimbra.com/wiki/Step_to_re ... imbra_user
Cron file is untouched from that time also.

zimbraargentina · Postby **zimbraargentina** » Tue May 28, 2019 7:20 pm

The final solution for remove zmswatch is

AS ROOT

ps -faxu to see the PID number of process
kill -9 PID

cd /opt/zimbra/log
rm -rf zmswatch
rm -rf zmswatch.sh

touch zmswatch
touch zmswatch.sh

chattr +i zmswatch
chattr +i zmswatch.sh

crontab -e -u zimbra
edit and remove the last line if exists that call zmswatch.sh
save and exit

and use TOP to see the CPU use.
the load average must be goes down in five minutes.

Thanks
Marcos
SDA Argentina

conceicao_ti · Postby **conceicao_ti** » Tue May 28, 2019 7:21 pm

Ola amigo, mesmo fazendo isso tem algo que fica tentando alterar o crontab o que fiz foi tirar também a permissão de edição do arquivo crontab pois quando ele aterar deleta tudo que tem la e adiciona um comando que baixa e executa outro sh

zimbraargentina wrote:The final solution for remove zmswatch is

AS ROOT

ps -faxu to see the PID number of process
kill -9 PID

cd /opt/zimbra/log
rm -rf zmswatch
rm -rf zmswatch.sh

touch zmswatch
touch zmswatch.sh

chattr +i zmswatch
chattr +i zmswatch.sh

crontab -e -u zimbra
edit and remove the last line if exists that call zmswatch.sh
save and exit

and use TOP to see the CPU use.
the load average must be goes down in five minutes.

Thanks
Marcos
SDA Argentina

MaySky · Postby **MaySky** » Tue May 28, 2019 7:23 pm

zimbraargentina wrote:The final solution for remove zmswatch is

AS ROOT

ps -faxu to see the PID number of process
kill -9 PID

cd /opt/zimbra/log
rm -rf zmswatch
rm -rf zmswatch.sh

touch zmswatch
touch zmswatch.sh

chattr +i zmswatch
chattr +i zmswatch.sh

crontab -e -u zimbra
edit and remove the last line if exists that call zmswatch.sh
save and exit

and use TOP to see the CPU use.
the load average must be goes down in five minutes.

Thanks
Marcos
SDA Argentina

This will remove active virus but you should fix/remove all the files in jetty folder, that were compromised as the attack vector will remain even if you'll patch with the latest patch.

zimbraargentina · Postby **zimbraargentina** » Tue May 28, 2019 7:29 pm

Of Course

MaySky wrote:
zimbraargentina wrote:The final solution for remove zmswatch is

AS ROOT

ps -faxu to see the PID number of process
kill -9 PID

cd /opt/zimbra/log
rm -rf zmswatch
rm -rf zmswatch.sh

touch zmswatch
touch zmswatch.sh

chattr +i zmswatch
chattr +i zmswatch.sh

crontab -e -u zimbra
edit and remove the last line if exists that call zmswatch.sh
save and exit

and use TOP to see the CPU use.
the load average must be goes down in five minutes.

Thanks
Marcos
SDA Argentina

This will remove active virus but you should fix/remove all the files in jetty folder, that were compromised as the attack vector will remain even if you'll patch with the latest patch.

jme1924 · Postby **jme1924** » Tue May 28, 2019 9:13 pm

Hola a todos.

Una consulta, cuando indican borrar todas los archivos de la carpeta jetty, esto son los que se encuentran en el primer nivel de la carpeta o hay que borrar el contenido completo con subdirectorios también.

Gracias...

Zimbra AJAX Webmail not loading

Re: Zimbra AJAX Webmail not loading

Re: Zimbra AJAX Webmail not loading

Re: Zimbra AJAX Webmail not loading

Re: Zimbra AJAX Webmail not loading

Re: Zimbra AJAX Webmail not loading

Re: Zimbra AJAX Webmail not loading

Re: Zimbra AJAX Webmail not loading

Re: Zimbra AJAX Webmail not loading

Re: Zimbra AJAX Webmail not loading

Re: Zimbra AJAX Webmail not loading

Who is online