Page 1 of 1
Mail server sending spam from zimbra@mydomain.com
Posted: Wed May 15, 2019 1:16 pm
by mateusscheper
I saw a lot of emails being sent from
zimbra@mydomain.com to
neplaceviata007@outlook.com.
I don't have a mailbox called
zimbra@mydomain.com. How is this possible?
Code: Select all
mail postfix/smtpd[5947]: NOQUEUE: filter: RCPT from localhost.localdomain[127.0.0.1]: <zimbra@mydomain.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<zimbra@mydomain.com> to=<neplaceviata007@outlook.com> proto=ESMTP helo=<mydomain.com>
I also saw three processes from zimbra user which the commands were just "-bash". How to debug this?
EDIT: I just saw a crontab running on user zimbra:
Re: Mail server sending spam from zimbra@mydomain.com
Posted: Wed May 15, 2019 1:35 pm
by Klug
Which version of ZCS are your running?
viewtopic.php?f=15&t=65932
Re: Mail server sending spam from zimbra@mydomain.com
Posted: Wed May 15, 2019 1:38 pm
by mateusscheper
Re: Mail server sending spam from zimbra@mydomain.com
Posted: Wed May 15, 2019 1:42 pm
by Klug
mateusscheper wrote:8.7.11_GA_1854.FOSS.
You should be running 8.7.11_GA_3800 (that's Patch P11).
Your server might be compromised, you should check the thread above.
Re: Mail server sending spam from zimbra@mydomain.com
Posted: Wed May 15, 2019 3:26 pm
by mateusscheper
Okay, I updated to 8.7.11_GA_3800.NETWORKING.
One question: I'm seeing a process that just says "[cpuset]" and it's consuming 100% of one of my cores. It's running for 71 min+ and I just restarted zimbra in order to update. Could this be related?
Re: Mail server sending spam from zimbra@mydomain.com
Posted: Wed May 15, 2019 3:31 pm
by phoenix
It's already been mentioned that you may have a compromised (i.e. hacked) server, read the thread that's been posted in the link earlier to confirm if it has or not.
Re: Mail server sending spam from zimbra@mydomain.com
Posted: Wed May 15, 2019 6:43 pm
by mateusscheper
phoenix wrote:It's already been mentioned that you may have a compromised (i.e. hacked) server, read the thread that's been posted in the link earlier to confirm if it has or not.
Yes. I already clean it following
this link.
My question now is about the cpuset thing.
ps aux | grep cpuset:
Code: Select all
zimbra 9277 100 0.0 135988 3112 ? R 11:10 264:59 [cpuset]
Is this part of Zimbra or should I worry?
Re: Mail server sending spam from zimbra@mydomain.com
Posted: Wed May 15, 2019 9:51 pm
by L. Mark Stone
If you cleaned it but didn't patch it, you will just get reinfected.
Re: Mail server sending spam from zimbra@mydomain.com
Posted: Fri May 17, 2019 11:19 am
by mateusscheper
I did clean and I did patch.
I just wondered if this 100% cpu would be related to this particular issue.
In any case, I killed it and restarted Zimbra yesterday. Everything seems normal so far.
Thank you for your help.