Bwiacek-Notes-WebEx
Sev 1 WebEx steps
Checking if server is compromised
If a client calls in and says they are compromised or you suspect that they are this is a list of what to look for to see if anything is amiss.
Check Install History
Check install history to see when the last patch was applied...
less /opt/zimbra/.install_history
To get last patch install in legible time date.
grep CONFIGURED .install_history | tail -n 1 | awk '{gsub(":", "", $1); print $1}' | date -d @$(cat)
Links to Patch Release history
2022: https://wiki.corp.synacor.com:8443/pages/viewpage.action?pageId=174719853
2023: https://wiki.corp.synacor.com:8443/pages/viewpage.action?pageId=176686252
Check Active Processes
Check current running processes
ps -ef | grep -i zimbra
Check Crontabs
as root
crontab -l
as Zimbra user
su - zimbra crontab -l
Check Files
Check the following for newly modified files comapre dates to the last instealled patch.
ls -lrt /opt/zimbra/jetty/webapps/zimbra/ > /tmp/jetty_zimbra_lrt.txt ls -lrt /opt/zimbra/jetty/webapps/zimbraAdmin/ > /tmp/jetty_zimbraAdmin_lrt.txt ls -lrt /opt/zimbra/jetty_base/work/ > /tmp/jetty_work_lrt.txt ls -lrt /opt/zimbra/mailboxd/webapps/zimbra/public/jsp/ > /tmp/jsp_lft.txt ls -ltr /opt/zimbra/mailboxd/webapps/zimbra/public/ > /tmp/public_lrt.txt ls -lrt /opt/zimbra/mailboxd/webapps/zimbraAdmin/WEB-INF > /tmp/web-inf.txt ls -lrt /opt/zimbra/mailboxd/webapps/zimbraAdmin > /tmp/zimbraAdmin_lrt.txt
List of files modified in the last 60 days
find /opt/zimbra/jetty/webapps/ -type f -newerct "-60 days" > /tmp/ct.txt find /opt/zimbra/ \( -path /opt/zimbra/backup -o -path /opt/zimbra/store -o -path /opt/zimbra/db/data \) \-prune -o -newerct "-60 days" > /tmp/newFiles.txt
Submitted by: BWiacek |