Page 1 of 1

New admin account created automatically

Posted: Mon Aug 19, 2019 5:54 am
by thameera
Hi All,

Today I saw our mail server have unusual Admin accounts created. I checked audit log and found below. I want to know under what user this account created. Server detail - Ubuntu 14.04/ZCS 8.7.11.

Does anyone had this issue? Please help me to investigate this issue.

2019-08-13 20:23:35,878 INFO [qtp1798286609-1145993:http://10.0.10.1:88/service/soap] [name=zimbra;ip=10.0.10.1;port=60393;ua=ZimbraWebClient - SAF3 (Win)/5.0.15_GA_2851.RHEL5_64;] security - cmd=Auth; account=zimbra; protocol=soap;
2019-08-13 20:23:36,342 INFO [qtp1798286609-1145999:https:https://127.0.0.1:7071/service/admin/soap] [name=zimbra;ua=ZimbraWebClient - SAF3 (Win)/5.0.15_GA_2851.RHEL5_64;] security - cmd=AdminAuth; account=zimbra;
2019-08-13 20:23:36,343 INFO [qtp1798286609-1145999:https:https://127.0.0.1:7071/service/admin/soap] [name=zimbra;ua=ZimbraWebClient - SAF3 (Win)/5.0.15_GA_2851.RHEL5_64;] security - cmd=Auth; account=zimbra; protocol=soap;
2019-08-13 20:23:38,477 INFO [qtp1798286609-1145804:https:https://127.0.0.1:7071/service/admin/soap] [name=zimbra;] security - cmd=CreateAccount; name=sagvzc@test.co.in;
2019-08-13 20:23:38,885 INFO [qtp1798286609-1145953:https:https://127.0.0.1:7071/service/admin/soap] [name=zimbra;] security - cmd=ModifyAccount; name=sagvzc@test.co.in; zimbraIsAdminAccount=TRUE;
2019-08-13 20:23:39,527 INFO [qtp1798286609-1145993:http://10.0.10.1:88/downloads/FMTn.jsp] [] security - cmd=Auth; account=sagvzc@test.co.in; protocol=http_basic;
2019-08-13 20:23:59,993 INFO [qtp1798286609-1146015:http://10.0.10.1:88/service/soap] [name=zimbra;ip=10.0.10.1;port=60435;ua=ZimbraWebClient - SAF3 (Win)/5.0.15_GA_2851.RHEL5_64;] security - cmd=Auth; account=zimbra; protocol=soap;
2019-08-13 20:24:00,419 INFO [qtp1798286609-1145999:https:https://127.0.0.1:7071/service/admin/soap] [name=zimbra;ua=ZimbraWebClient - SAF3 (Win)/5.0.15_GA_2851.RHEL5_64;] security - cmd=AdminAuth; account=zimbra;
2019-08-13 20:24:00,421 INFO [qtp1798286609-1145999:https:https://127.0.0.1:7071/service/admin/soap] [name=zimbra;ua=ZimbraWebClient - SAF3 (Win)/5.0.15_GA_2851.RHEL5_64;] security - cmd=Auth; account=zimbra; protocol=soap;
2019-08-13 20:24:03,222 INFO [qtp1798286609-1146029:https:https://127.0.0.1:7071/service/admin/soap] [name=zimbra;] security - cmd=CreateAccount; name=1tqdvc@test.co.in;
2019-08-13 20:24:03,637 INFO [qtp1798286609-1146015:https:https://127.0.0.1:7071/service/admin/soap] [name=zimbra;] security - cmd=ModifyAccount; name=1tqdvc@test.co.in; zimbraIsAdminAccount=TRUE;
2019-08-13 20:24:04,032 INFO [qtp1798286609-1146028:http://10.0.10.1:88/downloads/Hyr7.jsp] [] security - cmd=Auth; account=1tqdvc@test.co.in; protocol=http_basic;

Re: New admin account created automatically

Posted: Mon Aug 19, 2019 5:59 am
by phoenix
thameera wrote:Hi All,

Today I saw our mail server have unusual Admin accounts created. I checked audit log and found below. I want to know under what user this account created. Server detail - Ubuntu 14.04/ZCS 8.7.11.

Does anyone had this issue? Please help me to investigate this issue.
It sounds like your system has been hacked, I'd suggest you read all the forum threads on this topic.

Re: New admin account created automatically

Posted: Mon Aug 19, 2019 6:17 am
by thameera
Hi,

I am trying to find the tread you mentioned. It would be great if you can give me few links on this topics. It would help me to prevent further issues.

Thanks

Re: New admin account created automatically

Posted: Mon Aug 19, 2019 9:57 am
by phoenix
Take a look in this (Administrators) forum and the first post in the Topics section is what you need although I would have thought the word "exploited" in the title would have pointed you in the right direction.