Posts Tagged ‘hacking’

Zimbra < 8.0.6 Web Exploit, Bitcoin Slavery and Securing /tmp/

You may have noticed a bitcoin miner chugging along on your Zimbra server.

Doing a little searching, it seems you’re not cool if you haven’t.

A serious vulnerability (CVE-2013-7091) in the administration web interface was patched with the release of version 8.0.6. It was subsequently discovered and a PoC was crafted then released by rubina119 and marketed as 0day. While there has been some argument over whether that stretches the definition, I’m sad to say it was 0dh3y enough for me and countless other lazy buggers that never update their Zimbra. Go team!

If you were like me, you might have seen something like this:

top - 17:56:57 up 93 days, 15:06,  1 user,  load average: 6.09, 5.90, 5.87
 4489 zimbra    20   0  458m 2184  920 S 255.4  0.1   7731:52 minerd64

And you may have found this:

# lsof -i | grep minerd64
minerd64  4489  zimbra    4u  IPv4 47747967      0t0  TCP localhost:65535-> (ESTABLISHED)

# whois
% This is the RIPE Database query service.
org-name:       MediaServicePlus Ltd.
org-type:       LIR
address:        Novorogozhskaya 32c3, 212
address:        109029
address:        Moscow
address:        RUSSIAN FEDERATION
Well, OBVIOUSLY Russia. Right?

Well, OBVIOUSLY Russians. Right?

Then this:

# ls /tmp/
1  a  b  minerd32  minerd32.1  minerd32.2  minerd32.3  minerd32.4  minerd64  minerd64.1  minerd64.2  minerd64.3

And three of these things are not like the others:

# ls -lsah /opt/zimbra/zimlets-deployed/
total 84K
4.0K drwxr-xr-x. 21 zimbra zimbra 4.0K Jan 21 01:34 .
4.0K drwxr-xr-x. 51 zimbra zimbra 4.0K Aug 18 15:59 ..
4.0K drwxr-x---.  2 zimbra zimbra 4.0K Jan  9  2013 com_zimbra_adminversioncheck
4.0K drwxr-x---.  2 zimbra zimbra 4.0K Jan  9  2013 com_zimbra_attachcontacts
4.0K drwxr-x---.  2 zimbra zimbra 4.0K Jan  9  2013 com_zimbra_attachmail
4.0K drwxr-x---.  2 zimbra zimbra 4.0K Jan  9  2013 com_zimbra_bulkprovision
4.0K drwxr-x---.  2 zimbra zimbra 4.0K Jan  9  2013 com_zimbra_cert_manager
4.0K drwxr-x---.  2 zimbra zimbra 4.0K Jan  9  2013 com_zimbra_clientuploader
4.0K drwxr-x---.  2 zimbra zimbra 4.0K Jan  9  2013 com_zimbra_date
4.0K drwxr-x---.  4 zimbra zimbra 4.0K Jan  9  2013 com_zimbra_email
4.0K drwxr-x---   2 zimbra zimbra 4.0K Jan 21 01:34 com_zimbra_email_dns
4.0K drwxr-x---   2 zimbra zimbra 4.0K Dec 28 05:26 com_zimbra_example_simplejspaction
4.0K drwxr-x---   2 zimbra zimbra 4.0K Dec 31 16:37 com_zimbra_example_simplejspaction2
4.0K drwxr-x---.  4 zimbra zimbra 4.0K Jan  9  2013 com_zimbra_phone
4.0K drwxr-x---.  2 zimbra zimbra 4.0K Jan  9  2013 com_zimbra_proxy_config
4.0K drwxr-x---.  2 zimbra zimbra 4.0K Jan  9  2013 com_zimbra_srchhighlighter
4.0K drwxr-x---.  2 zimbra zimbra 4.0K Jan  9  2013 com_zimbra_tooltip
4.0K drwxr-x---.  2 zimbra zimbra 4.0K Jan  9  2013 com_zimbra_url
4.0K drwxr-x---.  2 zimbra zimbra 4.0K Jan  9  2013 com_zimbra_viewmail
4.0K drwxr-x---.  2 zimbra zimbra 4.0K Jan  9  2013 com_zimbra_webex
4.0K drwxr-x---.  3 zimbra zimbra 4.0K Jan  9  2013 com_zimbra_ymemoticons

This is the order in which I recommend fixing things:

  • Locate and delete any unusual zimbra admin accounts.
  • Stop zimbra.
  • killall minerd(32|64)
  • Clear /tmp/
  • Mount /tmp/ with tmpfs, nodev,nosuid,noexec to prevent any future executables from running in your /tmp/ directory
  • Delete the bad zimlets
  • Make a backup
  • Download 8.0.6
  • Do an upgrade. Don’t forget’s annoying flags like –platform-override and -x.
  • Reset your LDAP and MySQL passwords.
  • Restart zimbra.
  • Check for any additional gifts that may have been left behind.

Obviously, you should have your admin interface listening on a private IP or restricted port wherever possible. Where it isn’t, you might like to add some additional layer of security, for example HTTP auth.

This whole thing has me interested in Bitcoin mining again; I’ve got all sorts of servers that are mostly unused I’m not paying the hydro for. :p

At least we found something cute this time like hash crunching instead of something destructive like spamming or DoS. Right guys?

o/~ You’ve got to e-li-minate the negative… o/~

Zero Day in Action: SolusVM, Robert Clarke and Juicy Allegations of Corporate Cyberwar

If you’re tuning in today you have the opportunity to watch a zero-day attack and response in action.

In the last 12 hours I’ve received a message from two different VPS providers explaining that they’ve taken down their SolusVM web-based VM management software due to a severe vulnerability:

Hello guys,

we learned about a nasty security leak in solusVM today and we decided to switch the SolusVM admin-panel off.
We hope that Solus as the company will soon release a patch that will fix most recent leaks as this is not the first one today.

Please check our status-page at for updates.

A couple of providers have already been hacked and their client’s data and passwords have been leaked or entire hosting-platforms have been wiped.That’s why we decided to shutdown the panel as a preventive measure. If you need reinstalls or reboots, just submit a ticket – we will try to help as fast as we can.We’d like to point out to the fact that this is not a technical flaw on our side.

Thanks a lot for your understanding!


It has come to our attention that SolusVm (the VPS control panel) may have some exploitable vulnerabilities which we are not aware of.
As a precaution we turned off our SolusVM panel untill a fix is released.
This is not the previous central backup vulnerability which we were patched against, but alledgedly newly discovered vulnerabilities that are about to be disclosed soon.
What does this mean for you:
1. No data is lost.
2. The VPSes themselves are up and running (unless unrelated incidents happen)
3. You can connect using SSH or your control panel, however, the console is part of solus and wont be available, so be careful not to get locked out of SSH for the next day or so.
4. Provisioning of new VPSes, while techincally possible, if done outside solus might result in various disfunctionalities, therefore you can opt for a refund or wait until we think it is safe enough to re-enable solus.
5. Billing panels are still available, but we are limited in what we can do. We use solus too for many tasks, but we will try our best to help you, so log a ticket if you need help.
6. There has been no database leak, no other compromise of any data and solus itself does not store those anyway except some basic things like name and IPs.
7. The billing panels take their data from Solus (traffic consumed, VM status) and is doing any action such as reboot, shutdown through solus too, therefore these functions will not be available and your VPS will appear as offline, when in fact it is not, use SSH for any urgent tasks you may have.
8. While your data is intact and VMs have not been touched, please remember we offer free FTP space and do a backup for the data you think is important enough to be saved. We are an unmanaged host and may or may not have back-ups in case of a disaster like a major hack, an earthquake or fire, for example. Biz plans benefit from offsite backups too.
9. We are using third party software (it is impossible not to, even linux kernel is a third party software we have no control of) and we are dependent on the respective vendors to keep their software secure, therefore, in spite of our best oefforts (and this is valid for everyone) we cannot be immune to hacks. Nobody is, so, one more reason to keep recent backups.

We are sorry for these problems, unfortunately, since we cant do anything to fix them, we choose to turn off the vulnerable software until a fix is released.
We will try to keep you updated here:

This is, as you can see, valid for other problems, as well.

Thank you for our understanding and support !


domVPS has also apparently shut down their SolusVM portal but has not yet issued a statement by e-mail.

You can watch Soluslabs’ response on their blog at So far a fix has been released for one vulnerability but at least one other has popped up:

We are aware of the current rumours regarding a further security issue with SolusVM as well as some snippets of code. We have been working hard to audit all of the SolusVM code to find any further potential security issues that may pose a threat.

At this moment we have been unable to locate any problems however we are continuing to search for any possible attack vectors. We have received a few blocks of code from some customers that are currently being reviewed. Should any issues be identified a patch will be released immediately along with further announcement.

In the meantime, we do not believe there to by any immediate threat to customers.

Further updates will be provided within the coming hours.

Thank you for your patience and continued support.

I sympathize. These poor buggers are going to endure a lot of ball-breaking and code sifting.

Unfortunately, Soluslabs doesn’t seem to be planning on releasing details of the exploit for another few days.

Fortunately, we don’t have to rely on them. From LEB:

Today has been an unfortunate day for many hosts and indeed a shocking eye-opener for anyone using SolusVM to offer VPS’ to the public. Earlier on today the website reported on a shocking SolusVM exploit that effects every SolusVM version – the now defunct/unused file centralbackup.php contained multiple blunders including SQL Injection, direct exec()ution of any command, and access to the SolusVM server-side binary which can execute any command. Unfortunately for hosts this was a surprise to say the least, and one of the first to be targetted seems to be RamNode.

An announcement from RamNode was soon released and it was confirmed that Robert Clarke, founder of ServerCrate, was behind the initial breach of security at RamNode via the exploit. “As you are all aware, this has been a nightmare for [us]. Robert Clarke ran the SolusVM exploit on our control panel early this morning. Someone, him or else, then logged into several nodes and wiped the data.”

Members of LowEndTalk did post findings that correlate with the above statement that Robert Clarke was behind the attack/intrusion. Evidence such as IP-matches & even confirmation that the IP was indeed Roberts’ home network (via the welcome page for a HP media server which clearly stated “Robert’s Pictures” with the hostname ‘’) – not especially good news considering Robert’s previously dubious history and not so great reputation in the industry. While Robert has admitted to the initial “testing” of the exploit he still protests his innocence and vehemently denies doing any of the damange. *Update* Robert has admitted to perpetrating it to several different people. It also appears he targeted BuyVM.

Now that’s just a good story.

At present, LowEndTalk (the forum cited above) is down. Whether that means they are being hosted on a VPS by an affected provider or it has earned the ire of its many DoS-keen members for burning Clarke or not is yet unknown.

Before anyone gets out the pitch forks let’s heed this LEB commenter’s wise words:

Now that everyone has all but burnt Robert at the stake, it is worth considering that this exploit appeared on the net to be then immediately broadcast in many locations, not least the home of the child VPS provider and DDoS hive that is Lowendtalk.

If Robert did cause the issues at Ramnode it is likely, or actually definite that he was simply one of a much larger group of people cutting their way through providers trying to get a “hit”, he was lucky as it were and found Ramnode, others are in the same position. I know of at least 4 with varying degrees of repair work required.

Whilst I am not condoning what he did, if he did it, it is easy to focus in an target him, yet from what Nick has said he is can only be sure Robert accessed something rather than did anything. I am sure all you providers can check your logs and see countless others “all of a sudden” waking up and becoming active in the apparent name of “just testing to check everything is ok”.

Innocent until proven guilty in a court of law, I always say!

Find Files Which Have Been Recently Modified or Created

Has your outdated wordpress or other shrinkwrapware been compromised? (Yes >.>)

After taking steps to shut down the site you should probably use the find command to check to see if there are any unusual files which have been uploaded recently. If you scramble to close the hole and do updates before this step you will likely end up drowning any suspects in the results.

If you don’t remove, for example, a phishing page before plugging the hole you:

  • May never find out it’s there
  • Are contributing to phishing
  • One day your ISP will probably forward you a sternly worded letter from the victimized institution and threaten to drop your service if the page is not removed in 24 hours

Use your imagination if it’s something worse, like a rootkit or webshell.

It is necessary to determine the earliest possible time the attack could have taken place. It won’t kill you to add a day or two for safety.

# find /var/www/localhost/htdocs/ -type f -ctime -X

Where X is the number of days to look back.

Return top
Online Marketing Toplist
Technology Blogs - Blog Rankings

Internet Blogs - BlogCatalog Blog Directory

Bad Karma Networks

Please Donate!

Made in Canada  •  There's a fox in the Gibson!  •  2010-12