Zimbra < 8.0.6 Web Exploit, Bitcoin Slavery and Securing /tmp/
You may have noticed a bitcoin miner chugging along on your Zimbra server.
Doing a little searching, it seems you're not cool if you haven't.
A serious vulnerability (CVE-2013-7091) in the administration web interface was patched with the release of version 8.0.6. It was subsequently discovered and a PoC was crafted then released by rubina119 and marketed as 0day. While there has been some argument over whether that stretches the definition, I'm sad to say it was 0dh3y enough for me and countless other lazy buggers that never update their Zimbra. Go team!
If you were like me, you might have seen something like this:
top - 17:56:57 up 93 days, 15:06, 1 user, load average: 6.09, 5.90, 5.87 PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 4489 zimbra 20 0 458m 2184 920 S 255.4 0.1 7731:52 minerd64
And you may have found this:
# lsof -i | grep minerd64 minerd64 4489 zimbra 4u IPv4 47747967 0t0 TCP localhost:65535->193.0.202.101:domain (ESTABLISHED) # whois 193.0.202.101 % This is the RIPE Database query service. ... org-name: MediaServicePlus Ltd. org-type: LIR address: Novorogozhskaya 32c3, 212 address: 109029 address: Moscow address: RUSSIAN FEDERATION ...
Then this:
# ls /tmp/ 1 a b meep.pl minerd32 minerd32.1 minerd32.2 minerd32.3 minerd32.4 minerd64 minerd64.1 minerd64.2 minerd64.3 xd.pl
And three of these things are not like the others:
# ls -lsah /opt/zimbra/zimlets-deployed/ total 84K 4.0K drwxr-xr-x. 21 zimbra zimbra 4.0K Jan 21 01:34 . 4.0K drwxr-xr-x. 51 zimbra zimbra 4.0K Aug 18 15:59 .. 4.0K drwxr-x---. 2 zimbra zimbra 4.0K Jan 9 2013 com_zimbra_adminversioncheck 4.0K drwxr-x---. 2 zimbra zimbra 4.0K Jan 9 2013 com_zimbra_attachcontacts 4.0K drwxr-x---. 2 zimbra zimbra 4.0K Jan 9 2013 com_zimbra_attachmail 4.0K drwxr-x---. 2 zimbra zimbra 4.0K Jan 9 2013 com_zimbra_bulkprovision 4.0K drwxr-x---. 2 zimbra zimbra 4.0K Jan 9 2013 com_zimbra_cert_manager 4.0K drwxr-x---. 2 zimbra zimbra 4.0K Jan 9 2013 com_zimbra_clientuploader 4.0K drwxr-x---. 2 zimbra zimbra 4.0K Jan 9 2013 com_zimbra_date 4.0K drwxr-x---. 4 zimbra zimbra 4.0K Jan 9 2013 com_zimbra_email 4.0K drwxr-x--- 2 zimbra zimbra 4.0K Jan 21 01:34 com_zimbra_email_dns 4.0K drwxr-x--- 2 zimbra zimbra 4.0K Dec 28 05:26 com_zimbra_example_simplejspaction 4.0K drwxr-x--- 2 zimbra zimbra 4.0K Dec 31 16:37 com_zimbra_example_simplejspaction2 4.0K drwxr-x---. 4 zimbra zimbra 4.0K Jan 9 2013 com_zimbra_phone 4.0K drwxr-x---. 2 zimbra zimbra 4.0K Jan 9 2013 com_zimbra_proxy_config 4.0K drwxr-x---. 2 zimbra zimbra 4.0K Jan 9 2013 com_zimbra_srchhighlighter 4.0K drwxr-x---. 2 zimbra zimbra 4.0K Jan 9 2013 com_zimbra_tooltip 4.0K drwxr-x---. 2 zimbra zimbra 4.0K Jan 9 2013 com_zimbra_url 4.0K drwxr-x---. 2 zimbra zimbra 4.0K Jan 9 2013 com_zimbra_viewmail 4.0K drwxr-x---. 2 zimbra zimbra 4.0K Jan 9 2013 com_zimbra_webex 4.0K drwxr-x---. 3 zimbra zimbra 4.0K Jan 9 2013 com_zimbra_ymemoticons
This is the order in which I recommend fixing things:
- Locate and delete any unusual zimbra admin accounts.
- Stop zimbra.
- killall minerd(32|64)
- Clear /tmp/
- Mount /tmp/ with tmpfs, nodev,nosuid,noexec to prevent any future executables from running in your /tmp/ directory
- Delete the bad zimlets
- Make a backup
- Download 8.0.6
- Do an upgrade. Don't forget install.sh's annoying flags like --platform-override and -x.
- Reset your LDAP and MySQL passwords.
- Restart zimbra.
- Check for any additional gifts that may have been left behind.
Obviously, you should have your admin interface listening on a private IP or restricted port wherever possible. Where it isn't, you might like to add some additional layer of security, for example HTTP auth.
This whole thing has me interested in Bitcoin mining again; I've got all sorts of servers that are mostly unused I'm not paying the hydro for. :p
At least we found something cute this time like hash crunching instead of something destructive like spamming or DoS. Right guys?
o/~ You've got to e-li-minate the negative... o/~
Comments
There are no comments for this item.