Potential Compromise on Zimbra server

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
krash
Posts: 1
Joined: Fri Nov 03, 2017 11:17 pm

Potential Compromise on Zimbra server

Post by krash »

Good evening everyone.
I am sorry if this topic or post doesn't belong in this space . I have been up late looknig for a RCA on this.


We have a Zimbra server that was sending quite a lot of data out. I umped in and waas looking for indicators of compromise. I don't really see it sending currently mail from what I can tell in the logs. owever, I did notice something that seems weird to me.

When I ran a netstat -lnpa I saw miles and miles and mles of this

Code: Select all

nix  2      [ ]         DGRAM                    878377447 1165/java            
unix  2      [ ]         DGRAM                    773862304 1165/java            
unix  2      [ ]         DGRAM                    690302532 1165/java            
unix  2      [ ]         DGRAM                    223108186 1165/java            
unix  2      [ ]         DGRAM                    10318852 1165/java            
unix  2      [ ]         DGRAM                    4196896942 1165/java            
unix  2      [ ]         DGRAM                    3847577732 1165/java            
unix  2      [ ]         DGRAM                    3754238011 1165/java            
unix  2      [ ]         DGRAM                    3729499062 1165/java            
unix  2      [ ]         DGRAM                    3686466054 1165/java            
unix  2      [ ]         DGRAM                    3488420039 1165/java            
unix  2      [ ]         DGRAM                    3357838223 1165/java            
unix  2      [ ]         DGRAM                    3207591570 1165/java            
unix  2      [ ]         DGRAM                    3128277321 1165/java            
unix  2      [ ]         DGRAM                    3088626078 1165/java            
unix  2      [ ]         DGRAM                    2958537971 1165/java            
unix  2      [ ]         DGRAM                    2653604223 1165/java            
unix  2      [ ]         DGRAM                    2591912878 1165/java            
unix  2      [ ]         DGRAM                    2344638274 1165/java            
unix  2      [ ]         DGRAM                    2328447790 1165/java            
unix  2      [ ]         DGRAM                    2218612906 1165/java 
Looking at the process showed me this

Code: Select all

[root@mail public]# ps aux|grep -i 1165
zimbra    1165  3.1  8.2 3717464 319584 ?      Sl   Sep22 1933:59 /opt/zimbra/common/lib/jvm/java/bin/java -XX:ErrorFile=/opt/zimbra/log -client -Xmx256m -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 -Djdk.tls.client.protocols=TLSv1,TLSv1.1,TLSv1.2 -Djava.net.preferIPv4Stack=true -Dzimbra.home=/opt/zimbra -Djava.library.path=/opt/zimbra/lib -Djava.ext.dirs=/opt/zimbra/common/lib/jvm/java/jre/lib/ext:/opt/zimbra/lib/jars:/opt/zimbra/lib/ext-common:/opt/zimbra/lib/ext/clamscanner:/opt/zimbra/lib/ext/zimbra-license:/opt/zimbra/lib/ext/twofactorauth:/opt/zimbra/lib/ext/com_zimbra_ssdb_ephemeral_store -Djava.io.tmpdir=/opt/zimbra/data/tmp -Dpython.cachedir.skip=true org.python.util.jython /opt/zimbra/libexec/zmconfigd

I have scp'd all logs off . and have stopped the zimbra service. Was this process just OOMing? What is the reason for all these DGRAM items in netstat ? I can easily provide more logs if needed. I am sorry if this is vague, I am trying to gather what information I can and have some understanding of what happened and why so much data was sent out.
Post Reply