Results 1 to 6 of 6

Thread: Zimbra server got hacked, security?

  1. #1
    Join Date
    Dec 2007
    Posts
    8
    Rep Power
    7

    Default Zimbra server got hacked, security?

    Hello all,

    I was running the beta of zimbra on a internet facing server and last week it got hacked. It looks like only zimbra got hacked as apache and bind were untouched. When I deleted and reinstalled (without performing an actual uninstall) I got the following from the install output:

    Setting defaults... MX: grey-area.mailhostingserver.com (209.62.85.74)
    MX: grey-area.mailhostingserver.com (67.15.149.233)

    Interface: 64.251.xx.xx
    Interface: 64.251.xx.xx
    Interface: 127.0.0.1
    67.15.149.233
    209.62.85.74
    209.62.85.74
    67.15.149.233
    67.15.149.233
    209.62.85.74

    Now, the first two interfaces were correct, as is 127 obviously. but the others were NOT mine, nor was the MX default correct. And I couldn't figure out where it was pulling this data from. But either way, i did an actual uninstall and reinstalled.

    Now, it WAS the beta of 5, I believe. and I have since upgraded to the final and reinstalled and all is well. But now I worry about my mail server security.

    Aside from fire walling the server (which I already have) what other steps can be taken to prevent this from happening again?

    I'm not blaming zimbra for the hack, I'm certainly not a genius when it comes to this stuff anyway. But I'd like to take steps to make sure this doesn't happen again.

  2. #2
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    21

    Default

    Would you like assistance investigating the hack? What where the symptoms? Why did you delete it if it was hacked?

  3. #3
    Join Date
    Dec 2007
    Posts
    8
    Rep Power
    7

    Default

    Well, it was hacked and my mailserver was down. Mail could be sent but could not be received, as it was all going to grey-area.mailhostingserver.com and being dropped.

    It was a sunday night, and I had to get it up for monday. If it was still functional I would have investigated things but as I was dead in the water, I had to do whatever it took to get things back up.

    That's the only reason I looked into it in the first place: i strangely hadn't received mail for a few days. thunderbird was connecting to the server just fine but my inbox remained empty. a few test e-mails between my gmail account verified that sending worked but not receiving.

  4. #4
    Join Date
    Jan 2007
    Location
    Minnesota
    Posts
    719
    Rep Power
    9

    Default

    This has nothing to do with Zimbra. See ICANN Moves To Disable Domain Tasting

  5. #5
    Join Date
    Dec 2007
    Posts
    8
    Rep Power
    7

    Default

    Perhaps I'm missing something. Quite possible. But..

    My domain hasn't expired and my DNS was functional and was not changed in any way.

    An uninstall of zimbra, then reinstall of the final release of 5, got me back up and running again. From what I could tell, the settings in postfix (or something within zimbra) got tweaked to something else.

    This is a functional, working server for well over a year.

    HOWEVER: I don't know everything, obviously. So maybe I'm totally missing the point here. I apologize if that is the case.

    That said, I'm looking to stop this from happening again. Or to at least take steps to make it harder to happen.

  6. #6
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by violentpurr View Post
    That said, I'm looking to stop this from happening again. Or to at least take steps to make it harder to happen.
    It's almost impossible to give an opinion on what happened without some log files. Did you, by any chance, keep a copy of the logs or the /opt/zimbra directory?

    You seem to be saying that a bunch of IP address were associated with your server and they're nothing to do with you and your MX records was changed but your copy of BIND is untouched.

    You also say that you have the server firewalled, is that correct?

    The obvious, initial questions, would be as follows:

    Are you hosting your own DNS records? If not, who does?
    Which ports are open on the firewall?
    How do you mange this server, via ssh? If so, is port 22 open and does root have access to it?
    Do you have any audit trail on your serevr to see who logged in and when?
    When you reinstalled Zimbra did you have to make any modifications to your /etc/hosts file or your /etc/resolv.conf file? Check them, are they still set to your original settings?

    You also said that you could send mail but not receive any, what would that achieve for a hacker? The only obvious reason to hack a mail server would be to spam, stopping you from receiving mail wouldn't make sense as it alerts you to a problem. Just as a supplementary question, did you (or your ISP) notice any increase in outbound traffic at this time that would indicate anything unusual?

    My initial thoughts on what you've said is that it's a misconfiguration problem of your server and/or DNS, by whom and for what purpose I've no idea and without any hard evidence you'll probably never know.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

Similar Threads

  1. [SOLVED] Install Problem in Ubuntu 6.06 Server
    By xtimox in forum Installation
    Replies: 16
    Last Post: 03-27-2008, 10:36 AM
  2. [SOLVED] Error Installing Zimbra on RHEL 5
    By harris7139 in forum Installation
    Replies: 10
    Last Post: 09-25-2007, 12:39 PM
  3. Zimbra shutdowns every n hours.
    By Andrewb in forum Administrators
    Replies: 13
    Last Post: 08-14-2007, 09:55 AM
  4. Unable to start tomcat
    By chanck in forum Administrators
    Replies: 11
    Last Post: 06-11-2006, 01:58 AM
  5. Monitoring : Data not yet avalaible
    By s3nz3x in forum Installation
    Replies: 7
    Last Post: 11-30-2005, 07:18 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •