I am sorry if this topic or post doesn't belong in this space . I have been up late looknig for a RCA on this.
We have a Zimbra server that was sending quite a lot of data out. I umped in and waas looking for indicators of compromise. I don't really see it sending currently mail from what I can tell in the logs. owever, I did notice something that seems weird to me.
When I ran a netstat -lnpa I saw miles and miles and mles of this
Code: Select all
nix 2 [ ] DGRAM 878377447 1165/java
unix 2 [ ] DGRAM 773862304 1165/java
unix 2 [ ] DGRAM 690302532 1165/java
unix 2 [ ] DGRAM 223108186 1165/java
unix 2 [ ] DGRAM 10318852 1165/java
unix 2 [ ] DGRAM 4196896942 1165/java
unix 2 [ ] DGRAM 3847577732 1165/java
unix 2 [ ] DGRAM 3754238011 1165/java
unix 2 [ ] DGRAM 3729499062 1165/java
unix 2 [ ] DGRAM 3686466054 1165/java
unix 2 [ ] DGRAM 3488420039 1165/java
unix 2 [ ] DGRAM 3357838223 1165/java
unix 2 [ ] DGRAM 3207591570 1165/java
unix 2 [ ] DGRAM 3128277321 1165/java
unix 2 [ ] DGRAM 3088626078 1165/java
unix 2 [ ] DGRAM 2958537971 1165/java
unix 2 [ ] DGRAM 2653604223 1165/java
unix 2 [ ] DGRAM 2591912878 1165/java
unix 2 [ ] DGRAM 2344638274 1165/java
unix 2 [ ] DGRAM 2328447790 1165/java
unix 2 [ ] DGRAM 2218612906 1165/java
Code: Select all
[root@mail public]# ps aux|grep -i 1165
zimbra 1165 3.1 8.2 3717464 319584 ? Sl Sep22 1933:59 /opt/zimbra/common/lib/jvm/java/bin/java -XX:ErrorFile=/opt/zimbra/log -client -Xmx256m -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 -Djdk.tls.client.protocols=TLSv1,TLSv1.1,TLSv1.2 -Djava.net.preferIPv4Stack=true -Dzimbra.home=/opt/zimbra -Djava.library.path=/opt/zimbra/lib -Djava.ext.dirs=/opt/zimbra/common/lib/jvm/java/jre/lib/ext:/opt/zimbra/lib/jars:/opt/zimbra/lib/ext-common:/opt/zimbra/lib/ext/clamscanner:/opt/zimbra/lib/ext/zimbra-license:/opt/zimbra/lib/ext/twofactorauth:/opt/zimbra/lib/ext/com_zimbra_ssdb_ephemeral_store -Djava.io.tmpdir=/opt/zimbra/data/tmp -Dpython.cachedir.skip=true org.python.util.jython /opt/zimbra/libexec/zmconfigd