10 steps to check Zimbra server for compromise

Hackers often install webshells on onpatched Zimbra systems and then wait for some time before actually abusing the compromised system. Especially on systems where critical security patches where installed too late, it may seem all was OK, where in fact a hacker has already gained access to the system, but did not do any other malicious activities yet.

To check if the vulnerability is potentially leveraged on an unpatched server, look for the following log entries on the mailbox server.

  1. Use the https://wiki.zimbra.com/wiki/Integrity_check script and compare the output of the live system with that of a snapshot.
  2. Check for unknown files in the webapps folder. Look for unknown files in the webapps folder, especially ones ending in .jsp, .js, .sh or .py: /opt/zimbra/jetty/webapps/zimbra/ /opt/zimbra/jetty/webapps/zimbraAdmin/
    The files may have random names, or misleading names like security.jsp.
    To find files created in the last 60 days, run:

    find /opt/zimbra/jetty/webapps/ -type f -newerct "-60 days"
  3. Check for unknown files elsewhere
    There may be files placed in other directories, like /tmp/, /opt/zimbra/log, etc. Check these places for files with unusual names like amd64, libd, etc.
    For example, to search for executable files under /opt/zimbra/ that have been changed in the past 60 days, run:

    find /opt/zimbra/ -executable -type f -newerct "-60 days"

    To check for all new files, but excluding backup, store and data:

    find /opt/zimbra/ \( -path /opt/zimbra/backup -o -path /opt/zimbra/store -o -path /opt/zimbra/db/data \) -prune -o -newerct "-60 days"

    (Note that ct is used instead of the usual mt, because the modified time can be easily changed)

  4. Check for new crontab entries for zimbra and root users.
  5. Check for unknown admin accounts.
  6. Check for unknown Zimlets.
  7. Check to confirm that Pax package is installed
  8. Check to confirm that unrar package is uninstalled and using 7zip
  9. Check the configuration of sshd, validate the used authorized_keys file and validate the content of authorized_keys files for all users
  10. Check what ports are opened on the system and if the firewall is configured correctly

If there is evidence of the vulnerability being leveraged, we suggest rebuilding it: https://wiki.zimbra.com/wiki/Steps_To_Rebuild_ZCS_Server


Comments are closed.

Copyright © 2022 Zimbra, Inc. All rights reserved.

All information contained in this blog is intended for informational purposes only. Synacor, Inc. is not responsible or liable in any manner for the use or misuse of any technical content provided herein. No specific or implied warranty is provided in association with the information or application of the information provided herein, including, but not limited to, use, misuse or distribution of such information by any user. The user assumes any and all risk pertaining to the use or distribution in any form of any subject matter contained in this blog.

Legal Information | Privacy Policy | Do Not Sell My Personal Information | CCPA Disclosures