iomarmochtar/zimbra_after_xxe.txt

## zimbra_after_xxe.txt
Note:
- i suggest you for not delete any script or program that intruder put into your server, you can backup it and see how it's works.
  so you can learn how it operated and can determine impact in your server.
- before or in parallel you do backup please make sure that your server is clean first by any backdoor !!!.
- you may considering reinstall your OS if the damaged from intruder was quite heavy,
  eg: they are replacing some coreutils or some crucial daemon (SSH for instance).

in general you may see by detail any folder that zimbra user has write access to it.
but these are the common way you may check:

- See any new file located in jetty jsp for zimbra webapps, some intruder may put a webshell there
# ls -ltr /opt/zimbra/jetty/webapps/zimbra

- make sure there is no runtime execution in jsp file
# for x in `find /opt/zimbra/jetty/webapps/zimbra -name "*.jsp"`;do grep -e Runtime -e FileOutputStream $x > /dev/null && echo "Detected $x" ; done

- see the list of global admin, if you find an admin that shouldn't exist then you can disable or remove it.
$ zmprov gaaa

- check crontab for all users (remember intruder may got root access to your server).
# for user in $(cut -f1 -d: /etc/passwd); do crontab -u $user -l; done

- check for any suspectious or strange script or program in /tmp
# ls -ltr /tmp/

- see any strange process in your server
# top
or (better)
# htop

- check executed script/program while starting the OS
# less /etc/rc.local
you may adjust command below based on your Linux distro (eg: chkconfig for old centos version)
# systemctl -t service -a

- watch for strange program/script that open port
# netstat -tnap | grep LISTEN | less
# netsat -unap
you may considering sysdig for gaining more details
	Note:
	- i suggest you for not delete any script or program that intruder put into your server, you can backup it and see how it's works.
	so you can learn how it operated and can determine impact in your server.
	- before or in parallel you do backup please make sure that your server is clean first by any backdoor !!!.
	- you may considering reinstall your OS if the damaged from intruder was quite heavy,
	eg: they are replacing some coreutils or some crucial daemon (SSH for instance).

	in general you may see by detail any folder that zimbra user has write access to it.
	but these are the common way you may check:

	- See any new file located in jetty jsp for zimbra webapps, some intruder may put a webshell there
	# ls -ltr /opt/zimbra/jetty/webapps/zimbra

	- make sure there is no runtime execution in jsp file
	# for x in `find /opt/zimbra/jetty/webapps/zimbra -name "*.jsp"`;do grep -e Runtime -e FileOutputStream $x > /dev/null && echo "Detected $x" ; done

	- see the list of global admin, if you find an admin that shouldn't exist then you can disable or remove it.
	$ zmprov gaaa

	- check crontab for all users (remember intruder may got root access to your server).
	# for user in $(cut -f1 -d: /etc/passwd); do crontab -u $user -l; done

	- check for any suspectious or strange script or program in /tmp
	# ls -ltr /tmp/

	- see any strange process in your server
	# top
	or (better)
	# htop

	- check executed script/program while starting the OS
	# less /etc/rc.local
	you may adjust command below based on your Linux distro (eg: chkconfig for old centos version)
	# systemctl -t service -a

	- watch for strange program/script that open port
	# netstat -tnap \| grep LISTEN \| less
	# netsat -unap
	you may considering sysdig for gaining more details