The script in this article allows Zimbra administrators to create checksums of all the files in a Zimbra installation. The output of the script can be used to identify unintended changes and newly created files. Such changes can for example be caused by hackers.
You can use this script pro-actively by scheduling it in a cron job and store the result to a remote server. Or if you suspect a compromise you can run the script against a snapshot of your Zimbra server (if you have one) and compare it against the result of the script on your running instance.
As user root create a file /usr/local/sbin/zimbra-checksums with the following content:
#!/bin/bash
DIR='/tmp'
mkdir $DIR/CHECKSUMS
dt=`date +'%m-%d-%Y-%T'`
HN=`hostname`
echo "Fetching folders to search.."
/bin/ls -la /opt/zimbra/ | awk '{print $9}' | egrep -v 'backup|log|db|index|store|data|zmstat' | sed '1,3d' > $DIR/CHECKSUMS/zimdir
echo "Creating file list.."
for i in `cat $DIR/CHECKSUMS/zimdir`
do
find /opt/zimbra/"$i" -mount -type f | egrep -v "/opt/zimbra/backup/|/opt/zimbra/data/|/opt/zimbra/zmstat/" >> $DIR/CHECKSUMS/sha1files_"$HN"_"$dt".txt
done
sed -i 's/^/"/ ; s/$/"/' $DIR/CHECKSUMS/sha1files_"$HN"_"$dt".txt
echo "Calculating checksums.. (This can take time)"
cat $DIR/CHECKSUMS/sha1files_"$HN"_"$dt".txt | tee -a /tmp/asdf.log | xargs sha1sum >> $DIR/CHECKSUMS/sha1sum_zimbra_"$HN"_"$dt".log
echo "Done"
exit
Run it as follows:
chmod +x /usr/local/sbin/zimbra-checksums /usr/local/sbin/zimbra-checksums
Comparing the result
The result of the script can be found in the /tmp/CHECKSUMS folder. Example:
/tmp/CHECKSUMS/sha1sum_zimbra_zimbra10.example.com_10-11-2022-08:44:06.log
Now to compare the result you can do the following:
cat /tmp/CHECKSUMS/sha1sum_zimbra_zimbra10.example.com_10-11-2022-08\:44\:06.log | sort -k2 > /tmp/resultY cat /tmp/CHECKSUMS/sha1sum_zimbra_zimbra10.example.com_10-10-2022-13\:21\:01.log | sort -k2 > /tmp/resultX diff -Naur /tmp/resultX /tmp/resultY
The diff command will show any changes in checksums and newly created files.
A good tip for improving Zimbra security but I prefer to use Tripwire.
Can you publish a “known good” list of hashes?
For those of us just learning about the unpatched remote root exploit that’s been active for a month, it would be helpful to identify if our systems are compromised!
At this time the only way to check is run the script on a snapshot or backup from the past.
We cannot be sure the snapshot from the past is clean, that’s why I totally agree with Jered’s request.
Can you post hashes file from a fresh single-server Zimbra installation? It will help to verify the current situation of the server; next we can “safely” generate hashes of the current instance and use them a “baseline” for further checks.
We have been doing something along these lines for years.
Sometimes, we detect spontaneous changes in the file permissions, e.g.:
File: /opt/zimbra/jetty_base/work/zimbra/jsp/org/apache/jsp/h/rest.class
Permissions: rw-rw-r- , rw-r—-
as if somebody had done chmod g-w,o-r during the previous day.
Is this something to worry about?
If permissions changes happen, you will want to investigate what caused the changes. Normally permissions don’t change spontaneously. It can happen if you install a Zimbra patch, OS update or some other action a sys-admin did. Perhaps you are running a cron job to set your custom permissions, and Zimbra patches changed them also, and as a result you see these permission changes. You could install a Zimbra test server and see what the permissions look like without your cron job.
If you have more doubts, please open a support case, thanks!
There is a standard free utility doing it for specific folders/files in a controlled manner – aide (similar to tripwire) – Advanced Intrusion Detection Environment:
dnf install aide
man aide
Config file: /etc/aide.conf
# Save the checksums
aide –init
# Verify the checksums
aide –check
Thanks!
Yesterday, we updated to the latest version, including zimbra-patch-8.8.15.1664798903.p34-2.r7.x86_64 and zimbra-mbox-webclient-war-8.8.15.1664792862-1.r7.x86_64
This changed the permissions of some files from rw-r—- to rw-rw-r- . From experience, I expect Zimbra to change them back in the near future.
I have opened a support case.
NB: AIDE (suggested in another comment) is the tool I refered to when I wrote “something along these lines”.
Add a few lines to make it easier
cp $DIR/CHECKSUMS/sha1sum_latest.log $DIR/CHECKSUMS/sha1sum_previous.log
cp $DIR/CHECKSUMS/sha1sum_zimbra_”$HN”_”$dt”.log $DIR/CHECKSUMS/sha1sum_latest.log
cat $DIR/CHECKSUMS/sha1sum_previous.log | sort -k2 > $DIR/CHECKSUMS/sha1sum_previous_sorted.log
cat $DIR/CHECKSUMS/sha1sum_latest.log | sort -k2 > $DIR/CHECKSUMS/sha1sum_latest_sorted.log
echo “******************* COMPARE *******************”
diff -Naur $DIR/CHECKSUMS/sha1sum_previous.log $DIR/CHECKSUMS/sha1sum_latest.log