error uploading file

[quantylix]

Hi We are running into strange problem since yesterday. Our Zimbra server version 8.8.12.
in fact user using zimbra desktop and webmail cannot send any email if it has attachment on it. very small attachment (not more than 20 bytes ) goes well. Imap user can send without any problem. Our limit is set to 42 mb.
we have checked the logs but nothing appears coming from the affected client to the server. Server firewall have been disabled still the same issue. We change the affected users to different internet connection still did not solve the issue.
Any hint or suggestion is welcome
Thank you in advance for your support.

[MaySky]

Hi We are running into strange problem since yesterday. Our Zimbra server version 8.8.12.
in fact user using zimbra desktop and webmail cannot send any email if it has attachment on it. very small attachment (not more than 20 bytes ) goes well. Imap user can send without any problem. Our limit is set to 42 mb.
we have checked the logs but nothing appears coming from the affected client to the server. Server firewall have been disabled still the same issue. We change the affected users to different internet connection still did not solve the issue.
Any hint or suggestion is welcome
Thank you in advance for your support.

It looks like your server was compromised.
The details are here viewtopic.php?f=15&t=65932

[quantylix]

Hi MaySky
No our server was not compromised. we patched it on time and we checked our log , they were never any attempt to connect to 185[.]106.120.118. also we never seem zmcat or l.sh or s.sh on our server.
The problem is somewhere else.

[MaySky]

Hi MaySky
No our server was not compromised. we patched it on time and we checked our log , they were never any attempt to connect to 185[.]106.120.118. also we never seem zmcat or l.sh or s.sh on our server.
The problem is somewhere else.

Did you check top for strange activity? IP's and file names could be different.

[quantylix]

There a process called zmswatch eating 100% of cpu. and what I find strange is that it is located in the log folder. a binary in the log folder ?
investigating ....

[phoenix]

There a process called zmswatch eating 100% of cpu. and what I find strange is that it is located in the log folder. a binary in the log folder ?
investigating ....

Your server has been hacked/compromised and you need to patch it to the most recent release and clean the server, you can find details in the forum threads on this topic.

[quantylix]

but we are on version 8.8.12. This CVE have been fixed in this release. So may be we have been compromised before the update.
is it safe to remove zmswatch ? it is not part of zimbra ?
Thanks

[phoenix]

but we are on version 8.8.12. This CVE have been fixed in this release. So may be we have been compromised before the update.

That would be the most likely explanation unless you're not on the latest patch.

This is why it's always important to post the exact version of ZCS when you ask questions here. You should always post the full output o fthe following command:

Code: Select all

zmcontrol -v

is it safe to remove zmswatch ?

Yes.

it is not part of zimbra ?

No, it's not and you will most likely need to clean out some *.jsp files, as I mentioned take a look at the threads that cover these details.

[MaySky]

but we are on version 8.8.12. This CVE have been fixed in this release. So may be we have been compromised before the update.
is it safe to remove zmswatch ? it is not part of zimbra ?
Thanks

Zimbra 8.8.12 without any patches has CVE-2019-11318. This CVE was fixed only in 8.8.12 Patch 1 (https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.12/P1). You should install latest Patch 2 (it's cumulative) additionally from https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.12/P2.
If you have 8.8.12 without patches you're at risk, so "No our server was not compromised" is not correct)))) Also it could be that you were attacked before update to 8.8.12.
Pls follow the link from my second message to see all the details and to make additional steps as patching itself won't resolve the problem fully now.

[quantylix]

Thank you all for your replies
We are patching the server and starting the cleaning process