Page 4 of 4 FirstFirst ... 234
Results 31 to 38 of 38

Thread: zimbra 0-day

  1. #31
    nrc
    nrc is online now Active Member
    Join Date
    Mar 2007
    Location
    Columbus, OH
    Posts
    26
    Rep Power
    8

    Default

    Quote Originally Posted by ljramos View Post
    I have the same issue. is there a patch/fix for version 6.0_16
    Zimbra 6 was end of life as of September (and end of support a year before that) so you'll have to upgrade to get a fix. You might be able to use the nginx work around noted in the security guidance post linked above as a stop-gap.
    Last edited by nrc; 12-31-2013 at 02:02 AM.

  2. #32
    mmessina is offline New Member
    Join Date
    Dec 2013
    Posts
    4
    Rep Power
    1

    Default

    Any one have an easy way to isolate the new users? My zimbra install that was compromised has several hundred accounts and while I sorted by most recent I was unable to find the offending account.

  3. #33
    liverpoolfcfan's Avatar
    liverpoolfcfan is offline Outstanding Member
    Join Date
    Oct 2009
    Location
    Dublin, IRELAND
    Posts
    712
    Rep Power
    6

    Default

    Maybe a simple select on the mailbox table - it should by default increment the id for each new user. So, a simple select will show the accounts in the order they were created. You can look from the bottom up for the most recently created accounts.
    su - zimbra
    mysql
    use zimbra;
    select * from mailbox;

  4. #34
    Klug's Avatar
    Klug is offline Moderator
    Join Date
    Mar 2006
    Location
    Beaucaire, France
    Posts
    2,322
    Rep Power
    13

    Default

    I've seen a couple compromised servers (6.x).
    The compromising IP seems to be the same than seen in this thread: 179.43.141.149.

  5. #35
    mmessina is offline New Member
    Join Date
    Dec 2013
    Posts
    4
    Rep Power
    1

    Default

    So I deal with the initial threat; clear out said server of the zimlet in question, corrupted admin acct, presumably add this guy's IP to our badguys list of ips to block...

    and come back today to find *TWO* servers now compromised.

    Turns out the more senior engineer was mistaken about the firewall's config re: zimbra. Fantastic. Iptables time.
    The servers which were compromised were patched, btw, using the nginx method a previous poster linked to. So this time, I saw something more concerning when I found the new zimlets installed of "com_zimbra_example_simplejspaction2"

    The code file was called xd.jsp; obviously indicating the humor the user felt at such an easy hack.
    XD = huge laughing smile with eyes closed, for those who didn't know.

    The method of entry this time I can't quite make out exactly how it was done, as stated before I turned off the LFC loophole by closing it within nginx (verified it's no longer accessible).

    This time the audit log for the one server (Release 7.1.0_GA_3140.UBUNTU10_64 UBUNTU10_64 FOSS edition) only showed this:
    2014-01-01 12:38:57,735 INFO [btpool0-15://XXXXXXXX:7071/service/admin/soap] [name=zimbra;ip=179.43.141.149;] security - cmd=AdminAuth; account=zimbra;
    2014-01-01 12:38:57,772 INFO [btpool0-15://XXXXXXXX:7071/service/admin/soap] [name=zimbra;ip=179.43.141.149;] security - cmd=Auth; account=zimbra; protocol=soap;
    2014-01-01 19:41:49,954 INFO [btpool0-15://XXXXXXXX:7071/service/admin/soap] [name=zimbra;ip=179.43.141.149;] security - cmd=AdminAuth; account=zimbra;
    2014-01-01 19:41:50,002 INFO [btpool0-15://XXXXXXXX:7071/service/admin/soap] [name=zimbra;ip=179.43.141.149;] security - cmd=Auth; account=zimbra; protocol=soap;

    Same thing on the original server that got hacked ( Release 8.0.2.GA.5569.UBUNTU12.64 UBUNTU12_64 NETWORK edition.):
    179.43.141.149 - - [31/Dec/2013:21:25:36 +0000] "POST /service/admin/soap HTTP/1.1" 200 487 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36" 2
    179.43.141.149 - - [31/Dec/2013:21:25:36 +0000] "POST /service/admin/soap HTTP/1.1" 200 27498 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36" 4


    At this point I can't tell what hack they used to get in and am not really sure what I need to do to secure against it should said person use a different IP other than the 179 one they've been working nearly exclusively from. The big problem here is the chief engineer is out on vacation until next week and I'm not authorized to begin server upgrades since we need to setup a maintenance window/etc for them.

  6. #36
    lindsey is offline Senior Member
    Join Date
    Feb 2008
    Location
    Urbana-Champaign, IL
    Posts
    68
    Rep Power
    7

    Default

    To those of you fixing affected systems, don't forget to reset your LDAP and MySQL passwords.

    On a different note, what's the best way to find out about vulnerabilities? There's nothing on the Twitter or Facebook pages, and no emails were received to the account registered to the forums. It's obviously not very efficient to keep checking into the forums regularly to check for security issues.

  7. #37
    BobyMike is offline New Member
    Join Date
    Jan 2014
    Posts
    3
    Rep Power
    1

    Default

    Quote Originally Posted by mmessina View Post
    Any one have an easy way to isolate the new users? My zimbra install that was compromised has several hundred accounts and while I sorted by most recent I was unable to find the offending account.
    @mmessina:
    yes, for me was very simple to do the following:

    su zimbra
    zmaccts

    This will show you the accounts with the Created and Last Logon date. Hope will help you. Didn't help me because i found no new created account

  8. #38
    BloodyIron is offline Senior Member
    Join Date
    Nov 2012
    Posts
    62
    Rep Power
    2

    Default

    Thanks for this thread guys!

    I had a compromised system but I thought they had got in another way, been wrestling with it on and off for weeks.

    I'm pretty sure this has isolated the issue as they never made elevated accounts on the local system, only ever one email account. They did run a lot of coin miners, omg that was annoying.

    I saw two additional zimlets though, email_dns and backup (I think were the ones). I determined these weren't included by comparing dates and against another zimbra server (which is known to be clean) which didn't have the zimlets.

    Now running 8.0.6 OSE ;o Thanks admins/devs!

Page 4 of 4 FirstFirst ... 234

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •