Mail server sending spam from zimbra@mydomain.com

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
mateusscheper
Posts: 17
Joined: Tue May 29, 2018 12:49 pm

Mail server sending spam from zimbra@mydomain.com

Postby mateusscheper » Wed May 15, 2019 1:16 pm

I saw a lot of emails being sent from zimbra@mydomain.com to neplaceviata007@outlook.com.
I don't have a mailbox called zimbra@mydomain.com. How is this possible?

Code: Select all

mail postfix/smtpd[5947]: NOQUEUE: filter: RCPT from localhost.localdomain[127.0.0.1]: <zimbra@mydomain.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<zimbra@mydomain.com> to=<neplaceviata007@outlook.com> proto=ESMTP helo=<mydomain.com>



I also saw three processes from zimbra user which the commands were just "-bash". How to debug this?

EDIT: I just saw a crontab running on user zimbra:

Code: Select all

* * * * * /tmp/.scr/sn2/./-bash


Klug
Elite member
Elite member
Posts: 2312
Joined: Mon Dec 16, 2013 11:35 am
Contact:

Re: Mail server sending spam from zimbra@mydomain.com

Postby Klug » Wed May 15, 2019 1:35 pm

Which version of ZCS are your running?

viewtopic.php?f=15&t=65932
mateusscheper
Posts: 17
Joined: Tue May 29, 2018 12:49 pm

Re: Mail server sending spam from zimbra@mydomain.com

Postby mateusscheper » Wed May 15, 2019 1:38 pm

Klug wrote:Which version of ZCS are your running?

viewtopic.php?f=15&t=65932

8.7.11_GA_1854.FOSS.
Klug
Elite member
Elite member
Posts: 2312
Joined: Mon Dec 16, 2013 11:35 am
Contact:

Re: Mail server sending spam from zimbra@mydomain.com

Postby Klug » Wed May 15, 2019 1:42 pm

mateusscheper wrote:8.7.11_GA_1854.FOSS.

You should be running 8.7.11_GA_3800 (that's Patch P11).

Your server might be compromised, you should check the thread above.
mateusscheper
Posts: 17
Joined: Tue May 29, 2018 12:49 pm

Re: Mail server sending spam from zimbra@mydomain.com

Postby mateusscheper » Wed May 15, 2019 3:26 pm

Okay, I updated to 8.7.11_GA_3800.NETWORKING.

One question: I'm seeing a process that just says "[cpuset]" and it's consuming 100% of one of my cores. It's running for 71 min+ and I just restarted zimbra in order to update. Could this be related?
phoenix
Ambassador
Ambassador
Posts: 25980
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: Mail server sending spam from zimbra@mydomain.com

Postby phoenix » Wed May 15, 2019 3:31 pm

It's already been mentioned that you may have a compromised (i.e. hacked) server, read the thread that's been posted in the link earlier to confirm if it has or not.
Regards

Bill

Rspamd: A high performance spamassassin replacement

If you'd like to see this implemented in a future version of ZCS then please vote on Bugzilla entries 97706 & 108168
mateusscheper
Posts: 17
Joined: Tue May 29, 2018 12:49 pm

Re: Mail server sending spam from zimbra@mydomain.com

Postby mateusscheper » Wed May 15, 2019 6:43 pm

phoenix wrote:It's already been mentioned that you may have a compromised (i.e. hacked) server, read the thread that's been posted in the link earlier to confirm if it has or not.

Yes. I already clean it following this link.

My question now is about the cpuset thing.
ps aux | grep cpuset:

Code: Select all

zimbra    9277  100  0.0 135988  3112 ?        R    11:10 264:59 [cpuset]

Is this part of Zimbra or should I worry?
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 1927
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine
ZCS/ZD Version: 8.8.12 Network Edition
Contact:

Re: Mail server sending spam from zimbra@mydomain.com

Postby L. Mark Stone » Wed May 15, 2019 9:51 pm

If you cleaned it but didn't patch it, you will just get reinfected.
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/
mateusscheper
Posts: 17
Joined: Tue May 29, 2018 12:49 pm

Re: Mail server sending spam from zimbra@mydomain.com

Postby mateusscheper » Fri May 17, 2019 11:19 am

I did clean and I did patch.
I just wondered if this 100% cpu would be related to this particular issue.
In any case, I killed it and restarted Zimbra yesterday. Everything seems normal so far.

Thank you for your help.

Return to “Administrators”

Who is online

Users browsing this forum: AR84, kenyut, Majestic-12 [Bot], mmart, mqaroush, sandunwa and 79 guests