Zimbra AJAX Webmail not loading

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
charneval
Posts: 9
Joined: Sun Jan 15, 2017 7:16 am

Re: Zimbra AJAX Webmail not loading

Postby charneval » Wed May 29, 2019 12:49 pm

Hi.
I have the zimbra version 8.7.1_GA_1670 installed in a centos 7.
What is the correct patch to apply for this problem?
And how can I install inside my server?

Thanks

Andrea


Marcosebas
Advanced member
Advanced member
Posts: 79
Joined: Tue Sep 13, 2016 11:25 pm

Re: Zimbra AJAX Webmail not loading

Postby Marcosebas » Wed May 29, 2019 1:53 pm

zimbraargentina wrote:The final solution for remove zmswatch is

AS ROOT

ps -faxu to see the PID number of process
kill -9 PID

cd /opt/zimbra/log
rm -rf zmswatch
rm -rf zmswatch.sh

touch zmswatch
touch zmswatch.sh

chattr +i zmswatch
chattr +i zmswatch.sh

crontab -e -u zimbra
edit and remove the last line if exists that call zmswatch.sh
save and exit

and use TOP to see the CPU use.
the load average must be goes down in five minutes.

Thanks
Marcos
SDA Argentina


I did this process but it didn't work. The zmswatch appears again in the cd /opt/zimbra/log and it is not running the process but is still modifying the crontab. Which other process I can do in order to clean my server.


I have pattched alraedy my ZCS.

[zimbra@mailbox ~]$ zmcontrol -v
Release 8.6.0_GA_1153.RHEL6_64_20141215151155 RHEL6_64 FOSS edition, Patch 8.6.0_P14.
Last edited by Marcosebas on Wed May 29, 2019 2:34 pm, edited 1 time in total.
arka_dey
Posts: 3
Joined: Mon Jan 16, 2017 9:46 am

Re: Zimbra AJAX Webmail not loading

Postby arka_dey » Wed May 29, 2019 1:57 pm

we have update the zimbra version which also solved the issue.
arnisraido
Posts: 20
Joined: Sat Sep 13, 2014 1:44 am

Re: Zimbra AJAX Webmail not loading

Postby arnisraido » Wed May 29, 2019 3:07 pm

Be aware, that "last line" in crontab file could be down below the screen - mine had "hundreds" of empty lines abowe, so - not visible if You open only `crontab -e` in editor.
Open crontab and search for "zmwatch", to be sure.
anzigo
Posts: 4
Joined: Thu Sep 22, 2016 1:54 am

Re: Zimbra AJAX Webmail not loading

Postby anzigo » Wed May 29, 2019 3:22 pm

Addtionally...

Check for existence of

Code: Select all

/opt/zimbra/lib/zmlogswatch
If it exists, it'll be a recently created binary file. Delete it.

However, there would likely be multiple instances already running. To find them, run (then kill all instances):

Code: Select all

top -p $(pgrep -d ',' zmlogswatch)


Looks like that /opt/zimbra/lib/zmlogswatch binary was actively adding itself back to crontab, so you should then cleanup, or regenerate your zimbra crontab.
Marcosebas
Advanced member
Advanced member
Posts: 79
Joined: Tue Sep 13, 2016 11:25 pm

Re: Zimbra AJAX Webmail not loading

Postby Marcosebas » Wed May 29, 2019 4:49 pm

I deleted all the files said before and rebuilt the crontab. However, zmswatch keeps rappearing again.
bizonek
Posts: 7
Joined: Sat Sep 13, 2014 2:36 am

Re: Zimbra AJAX Webmail not loading

Postby bizonek » Wed May 29, 2019 8:23 pm

Same here, all solutions that I found in this post and links working the only temporary.
NE 8.7.11_GA_3800
MaySky
Posts: 24
Joined: Sat Apr 02, 2016 6:57 am

Re: Zimbra AJAX Webmail not loading

Postby MaySky » Wed May 29, 2019 9:31 pm

bizonek wrote:Same here, all solutions that I found in this post and links working the only temporary.
NE 8.7.11_GA_3800

I can't tell you the direct solution but can tell you what i did to resolve my problem
0) Backed up everything
1) Applied the patch needed to resolve this security issue in future. The patch only patch zimbra - it won't restore normal zimbra files that was changed by an attacker)
2) I stopped zimbra using "zmcontrol stop" as zimbra user.
3) Did "ps aux | grep zimbra" to see all the processes that are left running from zimbra user and kill them using "kill" proccessid
4) I deleted everything from cron for zimbra user "crontab -e -u zimbra" as root.
5) Installed on the OTHER server the same version of zimbra and copied the content of /opt/zimbra/jetty-distribution-9.3.5.v20151012 (in your case this can be the other folder) to my production server to the same folder. Be sure to preserve files and folders permissions to make everything work.
6) I started zimbra with "zmcontrol start" as zimbra user.
7???) IDK is it ok but zimbra didn't start normally and asked for keystore file, so i moved this file from backup to it's location to /opt/zimbra/jetty-distribution-9.3.5.v20151012/etc/keystore and restarted zimbra. Maybe you won't face this problem.

The main problem was to clean the content of cron for zimbra user from time to time when i go through all the steps as it was restored by virus. Active virus restored cron and cron run the virus again, so 3rd and 4th steps should be done very quickly and you should check everything many times.

The exact steps depending on the version of Zimbra. So you need some linux skills to resolve your situation.

Also remove any unknown user accounts and change mailserver admin password, everything unknown in /opt/zimbra/log and /tmp/ folders.
Then restore Zimbra cron as per instruction.

Tested on 8.7.11 P11 - 2+ days uptime and no more viruses

Good luck, my friend.
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 494
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 8.7.11_P14 RHEL6 Network Edition
Contact:

Re: Zimbra AJAX Webmail not loading

Postby JDunphy » Wed May 29, 2019 9:40 pm

bizonek wrote:Same here, all solutions that I found in this post and links working the only temporary.
NE 8.7.11_GA_3800

I am not familar with Zimbra numbers but hopefully you mean you are at 8.7.11 + patch 11.

Code: Select all

# su - zimbra
% zmcontrol -v       
Release 8.7.11_GA_1854.RHEL6_64_20170531151956 RHEL6_64 NETWORK edition, Patch 8.7.11_P11.

You might try this to see how bad it is... first fix crontab. Next do this as root.

Code: Select all

# ls -l /var/spool/cron/zimbra
-rw------- 1 zimbra zimbra 3759 Apr  7 08:39 /var/spool/cron/zimbra
# chattr +i /var/spool/cron/zimbra

Wait... if crontab changes, they have root and are doing chattr -i themselves.
To put things back so the zimbra crontab can be written again, do this:

Code: Select all

# chattr -i /var/spool/cron/zimbra

Why? ... the attacker's scripts had been running as the zimbra user so they would not be able to update zimbra's crontab if you made it immutable. Even root can't overwrite that file until that attribute is removed.

Code: Select all

% su -
[root@tmail ~]# touch /tmp/jk1
[root@tmail ~]# chattr +i /tmp/jk1
[root@tmail ~]# rm /tmp/jk1
rm: cannot remove `/tmp/jk1': Operation not permitted
[root@tmail ~]# chattr -i /tmp/jk1
[root@tmail ~]# rm /tmp/jk1

The command /usr/bin/crontab is setuid root so changing the permission to readonly for the zimbra crontab file wouldn't prevent that command from over writing your crontab. That was discussed in the pinned thread about this exploit when it first came out. By now the attack continues to get more sophisticated so its becoming more difficult to help without more information. I would love to see some output from a pstree and perhaps that find that was posted looking at jsp's. I also don't know what OS you are running but guessing at ubuntu? I am posting paths for centos/rhel 6 if things don't exactly match up.
Marcosebas
Advanced member
Advanced member
Posts: 79
Joined: Tue Sep 13, 2016 11:25 pm

Re: Zimbra AJAX Webmail not loading

Postby Marcosebas » Thu May 30, 2019 4:28 am

I have my zimbra 8.6 with the last patch I that I downloaded from ZImbras site, patch 14. My OS is Redhat 6.6. The servers is pattched but what can I do to remove this script?

Thanks for any help.

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 12 guests