CVE-2019-9670 being actively exploited (Hacked Server)

[yeeP6rai]

Yes... Thanks

along with them I found also some .class files with the same basename of .java

I found too .class files)

[srekkas]

What about these files

140975184 380 -rw-r----- 1 zimbra zimbra 387528 Apr 11 11:55 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/login_jsp.java
134466281 116 -rw-r----- 1 zimbra zimbra 115258 Apr 11 11:55 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/launchZCS_jsp.java
140991166 8 -rw-r----- 1 zimbra zimbra 5248 Apr 11 11:55 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/Resources_jsp.java
141005691 8 -rw-r----- 1 zimbra zimbra 4232 Apr 11 11:55 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/Boot_jsp.java
141408461 12 -rw-r--r-- 1 zimbra zimbra 11325 Apr 11 11:55 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/Offline_jsp.java
141444302 32 -rw-r--r-- 1 zimbra zimbra 31401 Apr 11 11:55 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/error_jsp.java
1208114647 32 -rw-r----- 1 zimbra zimbra 29461 Apr 10 11:59 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbraAdmin/org/apache/jsp/public_/admin_jsp.java
1208114649 8 -rw-r----- 1 zimbra zimbra 5248 Apr 10 11:59 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbraAdmin/org/apache/jsp/public_/Resources_jsp.java
1208137772 8 -rw-r----- 1 zimbra zimbra 4232 Apr 10 11:59 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbraAdmin/org/apache/jsp/public_/Boot_jsp.java

[maxxer]

What about these files

I don't know if they're original zimbra files or not, but I think so.

Someone in IRC (can't recall exactly) raised the problem that some Zimbra original JSP file were touched by the infection. And it suggested to use package manager to verify file integrity. While I don't recall if the discussion went on, I found way to do that for Ubuntu and RHEL.

For the first

Code: Select all

apt install debsums
dpkg -l zimbra* | grep ^ii | awk '{print $2}' | xargs debsums -c


for the latter

Code: Select all

rpm -qa zimbra* | xargs rpm -qV - | egrep -E '^.{2}5'


They list all the changed files form the originally installed content. Some changes are legit, but there are changed files which remains unknown to me. Like the _public ones above. On Ubuntu the output is shorter, while on RHEL (8.6) I get really a lot of files (js, zgz, properties...). Wondering if it's really useful

[yeeP6rai]

Code: Select all

rpm -qa zimbra* | xargs rpm -qV - | egrep -E '^.{2}5'


l

some correction

Code: Select all

rpm -qa "zimbra*" | xargs rpm -qV - | egrep -E '^.{2}5'

Output codes:
S = File size changed
M = File mode changed
5 = MD5 checksum changed
L = Symlink changed
U = Owner changed
G = Group changed
T = Modification time changed
c = it is a configuration file that has changed
missing = file is gone.

[Jgarcia]

Hi,

How to know if your server is still vulnerable after apply the patch ?

I read the A Saga of Code Executions on Zimbra post and it mentioned that run a command to check the deserialization RCE (zmprov gs `zmhostname` zimbraMemcachedClientServerList). No value have to be returned, is it true?

Thank you for the information.

[kclo2000]

Other than apply patch, any workaround which can apply to platform.

Some suggestion of filtering "service/proxy" at Proxy Ngnix. Is it enough?
I observed that hacker will place jsp file at mailbox server. If we change the folder ownership of /opt/zimbra/jetty/webapps/zimbra to other user like zimbraweb while the web application runs under zimbra. The zimbra account only has the read/execute permission. Will it prevent hacker on uploading files to platform?

[halfgaar]

I was looking into the possibility of setting HTTP auth on Nginx. It would have to be such that /dav/ is exempt, because Android carddav and caldav can't work with HTTP logins.

/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template is rather complex though.

I may also set up an Nginx proxy on another server.

I will post back when I have something useful.

[tin]

Can anyone give a quick description of how this exploit happens?
Does it require a valid authenticated user to happen?

[phoenix]

Can anyone give a quick description of how this exploit happens?
Does it require a valid authenticated user to happen?

The second and third posts in this thread have some links in them that give you descriptions of this exploit, you should read them.

[maxxer]

Can anyone give a quick description of how this exploit happens?
Does it require a valid authenticated user to happen?

if you have a vulnerable zimbra installation you're vulnerable, you cannot add mitigation (probably only a WAF could do something). there are several links in the thread with full history of the exploit, and also Zimbra blog has references