Did I get compromised by the recent exploit?

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
knappe01
Posts: 3
Joined: Wed Jul 24, 2019 1:08 pm

Did I get compromised by the recent exploit?

Postby knappe01 » Tue Aug 20, 2019 2:51 pm

Hi,

today I've realised that I'm not able to upload attachments bigger than 500 kb or so to zimbra web.

I always get an error message which translates to "File Upload Fault"

I've tried with smaller jpgs and pdfs and they work. First I've checked zimbra's configuration:

Code: Select all

[zimbra@mail log]$ zmprov gacf | grep zimbraMtaMaxMessageSize
zimbraMtaMaxMessageSize: 10240000
[zimbra@mail log]$  zmprov gacf | grep zimbraFileUploadMaxSize
zimbraFileUploadMaxSize: 10485760
zimbraFileUploadMaxSizePerFile: 2147483648


If I understand correctly this should not prevent me from uploading 2 MB attachemts.

I then read more about the exploit that was activley used some while ago and some people report that uploading of attachments isn't working properly anymore after they were compromised. I've already patched it when I first heared about it weeks back but maybe I was too late?

I don't have a file called zmcat or any suspicious shell scripts or any executable files at all in /tmp
I don't have a suspicious crontab entry to /opt/zimbra/lib/zmcheckexpiredcerts, I only have the legit entry for /opt/zimbra/libexec/zmcheckexpiredcerts
I've even gone through the perl script to make sure it's okay.

What more can I check to make sure my system is clean?


User avatar
zimico
Advanced member
Advanced member
Posts: 124
Joined: Mon Nov 14, 2016 8:03 am
Location: Vietnam
ZCS/ZD Version: 8.8.12
Contact:

Re: Did I get compromised by the recent exploit?

Postby zimico » Wed Aug 21, 2019 9:12 am

Dear,

According to zimbra wiki, please run the following commands to see if there is any abnormal file/action:

Code: Select all

#su - zimbra

$zmcontrol -v

$grep python-requests /opt/zimbra/log/access_log* $ grep downloads /opt/zimbra/log/access_log* | grep -i jsp

$ ls -lrth /var/tmp/*.sh
$ ls -lrth /opt/zimbra/log/*.sh

$ crontab -l | egrep -i ‘zmmailboxdwatch|zmstorewatch’
$ crontab -l | egrep -i ‘\.sh|\.py’


This wiki content is 3/4 months ago, maybe hackers already update their tools...
Regards,

Return to “Administrators”

Who is online

Users browsing this forum: Google [Bot] and 2 guests