Hackers often install webshells on onpatched Zimbra systems and then wait for some time before actually abusing the compromised system. Especially on systems where critical security patches where installed too late, it may seem all was OK, where in fact a hacker has already gained access to the system, but did not do any other malicious activities yet.
To check if the vulnerability is potentially leveraged on an unpatched server, look for the following log entries on the mailbox server.
- Use the https://wiki.zimbra.com/wiki/Integrity_check script and compare the output of the live system with that of a snapshot.
- Check for unknown files in the
webappsfolder. Look for unknown files in the webapps folder, especially ones ending in
The files may have random names, or misleading names like
To find files created in the last 60 days, run:
find /opt/zimbra/jetty/webapps/ -type f -newerct "-60 days"
- Check for unknown files elsewhere
There may be files placed in other directories, like
/opt/zimbra/log, etc. Check these places for files with unusual names like
For example, to search for executable files under /opt/zimbra/ that have been changed in the past 60 days, run:
find /opt/zimbra/ -executable -type f -newerct "-60 days"
To check for all new files, but excluding backup, store and data:
find /opt/zimbra/ \( -path /opt/zimbra/backup -o -path /opt/zimbra/store -o -path /opt/zimbra/db/data \) -prune -o -newerct "-60 days"
ctis used instead of the usual
mt, because the modified time can be easily changed)
- Check for new crontab entries for
- Check for unknown admin accounts.
- Check for unknown Zimlets.
- Check to confirm that Pax package is installed
- Check to confirm that unrar package is uninstalled and using 7zip
- Check the configuration of sshd, validate the used authorized_keys file and validate the content of authorized_keys files for all users
- Check what ports are opened on the system and if the firewall is configured correctly
If there is evidence of the vulnerability being leveraged, we suggest rebuilding it: https://wiki.zimbra.com/wiki/Steps_To_Rebuild_ZCS_Server