Manually clean up zimbra zmcat/zmcpustat exploit
Symptoms: server load high, cpu usage 300% To clean up manually follow this steps: STOP the process but dont kill it, use kill -STOP [PID] Hide from search engine (su zimbra): zmprov mcf zimbraMailKeepOutWebCrawlers TRUE +zimbraResponseHeader "X-Robots-Tag: noindex" chmod 755 /opt/zimbra/data/tmp/ chmod 755 /opt/zimbra/data/tmp/upload Delete malicious JSP, find using this command: grep -R '(request.getParameter.' /opt/zimbra/mailboxd /opt/zimbra/jetty For example: /opt/zimbra/mailboxd/webapps/zimbraAdmin/public/jsp/Alert.jsp and /opt/zimbra/jetty/webapps/zimbra/js/zimbra/csfe/XZimbra.jsp > /opt/zimbra/mailboxd/webapps/zimbraAdmin/public/jsp/Alert.jsp > /opt/zimbra/jetty/webapps/zimbra/js/zimbra/csfe/XZimbra.jsp chattr +i /opt/zimbra/mailboxd/webapps/zimbraAdmin/public/jsp/Alert.jsp /opt/zimbra/jetty/webapps/zimbra/js/zimbra/csfe/XZimbra.jsp Fix modified jsp files, find using: rpm -qa zimbra* | xargs rpm -qV - | egrep -E '^.{2}5' | grep .jsp For