Results 1 to 5 of 5

Thread: Zimbra got hacked?

  1. #1
    Join Date
    Nov 2010
    Posts
    3
    Rep Power
    4

    Exclamation Zimbra got hacked?

    Hello all,
    The most strange thing happens. We have a new installation that we publish to internet and we forgot to change the password of the user "admin" . Our default password was "password". The server were in production for a couple of months without any problem.
    Yesterday I notice that I stop receiving the "Daily Mail Report" to my admin mailbox that I have configured in Thunderbird. Also, I got a warning from a Telco that I was sending spam from the admin@ account.
    I enter the UI as user admin and when I click New to compone an email, a text appears on the body of the email! a spam mail. And, when I send that mail, the display name isnt my anymore, is "SECRET POWERS" and it has a Reply to: to a gmail address.
    The strange thin is that when I go to the Administration Page, the display name and every parameter are normal in the admin account.
    So..I very confuse I dont know were the system is reading those names and automatic body mesage.

    Please help!

    Regards

  2. #2
    Join Date
    Jul 2007
    Location
    Baltimore
    Posts
    1,649
    Rep Power
    11

    Default

    could it be a persona for the admin account? maybe the body is a signature?

  3. #3
    Join Date
    Nov 2010
    Posts
    3
    Rep Power
    4

    Default

    No, I am the only admin. By the way, where do I config the signature?

    Also, I found this in the logs:

    /opt/zimbra/log/mailbox.log.2010-11-16:2010-11-16

    14:27:44,473 INFO [btpool0-791://200.x.x.x/service/soap/SendMsgRequest] [name=admin@zimbra.x.x.x;mid=1;ip=71.113.139.253;ua =ZimbraWebClient - FF3.0 (Win)/6.0.8_GA_2661;] sqltrace - Slow execut
    ion (2427ms): INSERT INTO mboxgroup1.mail_item(mailbox_id, id, type, parent_id, folder_id, index_id, imap_id, date, size, vol
    ume_id, blob_digest, unread, flags, tags, sender, subject, name, metadata, mod_metadata, change_date, mod_content) VALUES (1, 11124, 5, NULL, 5, '11124', 11124, 1289928461, 9862, '1', '97tWG2hwW5fjzZxUJiqjP2SIgGY=', 0, 1, 0, 'SECRET POWERS', '', NULL, 'd1:f150:Has anything ever bothered you in life? Do you have any problem you need to solve? A pending court case you want to resolve in your favor? Health, ...1:s39:SECRET POWERS <admin@zimbra.x.x.x>1:t0:1:vi10ee', 16700, 1289928462, 16700)

  4. #4
    Join Date
    Nov 2010
    Posts
    3
    Rep Power
    4

    Default

    I found the From: and the Reply to: parameters that were change in the admin account preferences. I re-set it to my name and now everything is OK.
    So, I wonder how this happens, I was a "robot" attack or a human behind this changes? I simple password change would do it?

  5. #5
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,374
    Rep Power
    11

    Default

    For sure change the password to something complex on the admin mailbox.

    You could also create a new global admin mailbox account with a more cryptic name, set the status of the existing admin account to "Locked", and in the admin mailbox configure hidden forwarding to the new global admin mailbox.

    Hope that helps,
    Mark

Similar Threads

  1. Old Backup stay in TO_DELETE status and no clearing..
    By bartounet in forum Administrators
    Replies: 0
    Last Post: 10-05-2010, 07:40 AM
  2. Replies: 9
    Last Post: 03-01-2008, 07:21 PM
  3. [SOLVED] Clamav problem ? What's happening ?
    By aNt1X in forum Installation
    Replies: 23
    Last Post: 02-14-2008, 04:43 AM
  4. Can't start Zimbra!
    By zibra in forum Administrators
    Replies: 5
    Last Post: 03-22-2007, 11:34 AM
  5. zmtlsctl give LDAP error
    By sourcehound in forum Administrators
    Replies: 5
    Last Post: 03-11-2007, 03:48 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •