Do a quick search under the usual jetty folders:
find /opt/zimbra/jetty/ -type f -name *jsp -mtime -30
If you find files like:
you’re actually hacked.
Unlike the previous “zmcat” and “dblaunchs” that actually exploit the vuln and load some sh*t this looks like a bad childish attack. It seems that they delete some files under jetty dir, don’t know why.
The attack vector is the same, but, there are no strange processes, there is no persistence.
- Get the package of your version. In our case was an unpatched 8.6
- Extract the package, find the store rpm or deb. In our case was zcs-NETWORK-8.6.0_GA_1153.UBUNTU14_64.20141215151218/packages/zimbra-store_8.6.0.GA.1153.UBUNTU14.64_amd64.deb
- Get into the rpm or the package (midnight commander allows browsing deb & rpm) and navigate to the correspondent jetty/webapps/zimbra/public folder
- Replace the old public folder with the public folder from the package
- Patch immediately. You modified some files that will be patched so, if you installed some patch before, use ./installPatch.sh –force, to avoid zimbra version control
Here’s the patch file download link:
Install the Patch
Note: This patch should be installed on all nodes running in your environment.
1. Before you begin, confirm you have the following:
Zimbra Collaboration 8.6.0 GA installed
Zimbra Collaboration 8.6.0 Patch8 TGZ file
2. Copy the patch.tgz file(s) to your server.
3. Install Zimbra Collaboration 8.6.0 Patch8
a. Log in as root and cd to the directory where the tar file is saved. Type
tar xzf zcs-patch-8.6.0_GA_XXX.tgz cd zcs-patch-8.6.0_GA_XX
b. As root, install the patch. Type
c. Switch to user zimbra
su – zimbra
d. ZCS must be restarted to changes to take effect. Type
Note: For users who have the web-client open and are running the FOSS edition, the refresh notice mightstate that you have changed to the NETWORK Edition; however, your feature set will remain FOSS only.