Discuss your pilot or production implementation with other Zimbra admins or our engineers.
User avatar
Posts: 6
Joined: Mon May 27, 2019 5:46 am


Postby ardhiatno » Tue May 28, 2019 12:49 am

I can confirmed that my server is being compromised,
After being fixed for a while, it started to error again and changed the Zimbra crontab with the hacker version.
It's not 100% the same case as the other case, for example there's no zmcat file but rather .ntp file.
For time being I forced to block the http(s) service from the internet until we can upgrade the Zimbra version to the latest one.
Posts: 26697
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England


Postby phoenix » Tue May 28, 2019 5:24 am

Changingf the permissions on those folders might not be the correct respons, your server may have been hacked/compromised and you you read the earlier post by Klug and read the thread he linked.


Rspamd: A high performance spamassassin replacement

Per ardua ad astra
Posts: 1
Joined: Tue May 28, 2019 3:20 pm


Postby ludmata » Tue May 28, 2019 3:28 pm

So I've got the same issue - tried proposed fixes, they worked... for a while - and then the same thing happened again. Red lamp trggered - after some basic investigation on whats going on I saw something strange in my top: very high cpu usage from kthrotlds. Hmm... A quick search discovered a critical vulnerability - I have not patched or upgraded in time. Check carefully for this files in /tmp/.cache :
total 3692
drwxr-xr-x. 2 zimbra zimbra 4096 May 28 17:09 .
drwxr-xr-x 3 root root 4096 May 28 17:11 ..
-rw-rw-r--. 1 zimbra zimbra 0 May 27 13:21 .a
-rwxr-xr-x 1 zimbra zimbra 1874740 May 28 14:39 .kswapd
-rwxr-xr-x 1 zimbra zimbra 1874740 May 28 17:09 .kthrotlds
-rwxr-xr-x 1 zimbra zimbra 19825 May 28 17:10 .ntp

If you are in my boat, check this out - most of the information about file names is old, but the cleaning process described works: ... ction/961/

I have cleaned throughly my system, removed all crontab entries from zimbra user, changed all ldap passwords, upgraded to the latest version and everything seems fine. I will move the accounts to a new system, but for the time being I have saved the day.

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 17 guests