Search found 5 matches

by edtricklam
Thu Aug 01, 2019 1:32 am
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited
Replies: 239
Views: 155529

Re: CVE-2019-9670 being actively exploited

Updating.... I tried to delete and chattr +i suspect file, it still automatic create other suspect file in /opt/zimbra/libexec. Example file: zmtrainsa , zmmysqlstatus, zmjavaext, zmldappasswd, zmloggerctl (latest one) and then in ps -eaf |grep zm , you will see zimbra 782 781 0 06:49 ? 00:00:06 /us...
by edtricklam
Mon Jul 15, 2019 3:27 am
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited
Replies: 239
Views: 155529

Re: CVE-2019-9670 being actively exploited

I fight with this problems over a months. It will automatic regenerate a file "zmcpustat, zmcpustarter, zmwatchdog...." in /opt/zimbra/log "zmiostat ....." in /var/tmp "zmreplchk, zmreplchk_pid...." in /tmp According to https://lorenzo.mile.si/zimbra-cve-2019-9670-being...
by edtricklam
Tue Nov 13, 2018 5:59 am
Forum: Administrators
Topic: Server is hacked??
Replies: 4
Views: 1862

Re: Server is hacked??

Still can not find out what problems?? Today, it tried to login until admin account is lockout. 2018-11-13 07:46:09,023 WARN [qtp509886383-67832:https://192.168.0.2:7071/service/admin/soap/] [name=admin@nexusxxxx.com;ip=192.168.0.2;] security - cmd=Auth; account=admin@nexusxxxx.com; protocol=soap; e...
by edtricklam
Tue Nov 06, 2018 1:50 am
Forum: Administrators
Topic: Server is hacked??
Replies: 4
Views: 1862

Re: Server is hacked??

I tried cat /var/log/zimbra.log | grep sasl_username > list. but nothing display. I found that zombie process, Is it a problem?? USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND zimbra 11131 0.0 0.0 0 0 ? Z Nov05 0:00 [sh] <defunct> root@mail:~# pstree -p -s 11131 init(1)auditswatch(26753)perl...
by edtricklam
Mon Nov 05, 2018 2:41 pm
Forum: Administrators
Topic: Server is hacked??
Replies: 4
Views: 1862

Server is hacked??

One of user account is hacked and spam out last week. We already changed his password and clean up all spam mail. We monitor 3 days. But today we found in server audit log. its quit strange that someone to use localhost / own internal IP connect to admin console. Although its auth failed, we wonder ...

Go to advanced search