Zimbra got hacked?
The most strange thing happens. We have a new installation that we publish to internet and we forgot to change the password of the user "admin" . Our default password was "password". The server were in production for a couple of months without any problem.
Yesterday I notice that I stop receiving the "Daily Mail Report" to my admin mailbox that I have configured in Thunderbird. Also, I got a warning from a Telco that I was sending spam from the admin@ account.
I enter the UI as user admin and when I click New to compone an email, a text appears on the body of the email! a spam mail. And, when I send that mail, the display name isnt my anymore, is "SECRET POWERS" and it has a Reply to: to a gmail address.
The strange thin is that when I go to the Administration Page, the display name and every parameter are normal in the admin account.
So..I very confuse I dont know were the system is reading those names and automatic body mesage.
could it be a persona for the admin account? maybe the body is a signature?
No, I am the only admin. By the way, where do I config the signature?
Also, I found this in the logs:
14:27:44,473 INFO [btpool0-791://200.x.x.x/service/soap/SendMsgRequest] [email@example.com;mid=1;ip=126.96.36.199;ua =ZimbraWebClient - FF3.0 (Win)/6.0.8_GA_2661;] sqltrace - Slow execut
ion (2427ms): INSERT INTO mboxgroup1.mail_item(mailbox_id, id, type, parent_id, folder_id, index_id, imap_id, date, size, vol
ume_id, blob_digest, unread, flags, tags, sender, subject, name, metadata, mod_metadata, change_date, mod_content) VALUES (1, 11124, 5, NULL, 5, '11124', 11124, 1289928461, 9862, '1', '97tWG2hwW5fjzZxUJiqjP2SIgGY=', 0, 1, 0, 'SECRET POWERS', '', NULL, 'd1:f150:Has anything ever bothered you in life? Do you have any problem you need to solve? A pending court case you want to resolve in your favor? Health, ...1:s39:SECRET POWERS <firstname.lastname@example.org>1:t0:1:vi10ee', 16700, 1289928462, 16700)
I found the From: and the Reply to: parameters that were change in the admin account preferences. I re-set it to my name and now everything is OK.
So, I wonder how this happens, I was a "robot" attack or a human behind this changes? I simple password change would do it?
For sure change the password to something complex on the admin mailbox.
You could also create a new global admin mailbox account with a more cryptic name, set the status of the existing admin account to "Locked", and in the admin mailbox configure hidden forwarding to the new global admin mailbox.
Hope that helps,