error uploading file
error uploading file
Hi We are running into strange problem since yesterday. Our Zimbra server version 8.8.12.
in fact user using zimbra desktop and webmail cannot send any email if it has attachment on it. very small attachment (not more than 20 bytes ) goes well. Imap user can send without any problem. Our limit is set to 42 mb.
we have checked the logs but nothing appears coming from the affected client to the server. Server firewall have been disabled still the same issue. We change the affected users to different internet connection still did not solve the issue.
Any hint or suggestion is welcome
Thank you in advance for your support.
in fact user using zimbra desktop and webmail cannot send any email if it has attachment on it. very small attachment (not more than 20 bytes ) goes well. Imap user can send without any problem. Our limit is set to 42 mb.
we have checked the logs but nothing appears coming from the affected client to the server. Server firewall have been disabled still the same issue. We change the affected users to different internet connection still did not solve the issue.
Any hint or suggestion is welcome
Thank you in advance for your support.
Re: error uploading file
It looks like your server was compromised.quantylix wrote:Hi We are running into strange problem since yesterday. Our Zimbra server version 8.8.12.
in fact user using zimbra desktop and webmail cannot send any email if it has attachment on it. very small attachment (not more than 20 bytes ) goes well. Imap user can send without any problem. Our limit is set to 42 mb.
we have checked the logs but nothing appears coming from the affected client to the server. Server firewall have been disabled still the same issue. We change the affected users to different internet connection still did not solve the issue.
Any hint or suggestion is welcome
Thank you in advance for your support.
The details are here viewtopic.php?f=15&t=65932
Re: error uploading file
Hi MaySky
No our server was not compromised. we patched it on time and we checked our log , they were never any attempt to connect to 185[.]106.120.118. also we never seem zmcat or l.sh or s.sh on our server.
The problem is somewhere else.
No our server was not compromised. we patched it on time and we checked our log , they were never any attempt to connect to 185[.]106.120.118. also we never seem zmcat or l.sh or s.sh on our server.
The problem is somewhere else.
Re: error uploading file
Did you check top for strange activity? IP's and file names could be different.quantylix wrote:Hi MaySky
No our server was not compromised. we patched it on time and we checked our log , they were never any attempt to connect to 185[.]106.120.118. also we never seem zmcat or l.sh or s.sh on our server.
The problem is somewhere else.
Re: error uploading file
There a process called zmswatch eating 100% of cpu. and what I find strange is that it is located in the log folder. a binary in the log folder ?
investigating ....
investigating ....
- Attachments
-
- Screen Shot 2019-05-28 at 8.21.30 PM.png (759.28 KiB) Viewed 2756 times
Re: error uploading file
Your server has been hacked/compromised and you need to patch it to the most recent release and clean the server, you can find details in the forum threads on this topic.quantylix wrote:There a process called zmswatch eating 100% of cpu. and what I find strange is that it is located in the log folder. a binary in the log folder ?
investigating ....
Re: error uploading file
but we are on version 8.8.12. This CVE have been fixed in this release. So may be we have been compromised before the update.
is it safe to remove zmswatch ? it is not part of zimbra ?
Thanks
is it safe to remove zmswatch ? it is not part of zimbra ?
Thanks
Re: error uploading file
That would be the most likely explanation unless you're not on the latest patch.quantylix wrote:but we are on version 8.8.12. This CVE have been fixed in this release. So may be we have been compromised before the update.
This is why it's always important to post the exact version of ZCS when you ask questions here. You should always post the full output o fthe following command:
Code: Select all
zmcontrol -v
Yes.quantylix wrote:is it safe to remove zmswatch ?
No, it's not and you will most likely need to clean out some *.jsp files, as I mentioned take a look at the threads that cover these details.quantylix wrote:it is not part of zimbra ?
Re: error uploading file
Zimbra 8.8.12 without any patches has CVE-2019-11318. This CVE was fixed only in 8.8.12 Patch 1 (https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.12/P1). You should install latest Patch 2 (it's cumulative) additionally from https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.12/P2.quantylix wrote:but we are on version 8.8.12. This CVE have been fixed in this release. So may be we have been compromised before the update.
is it safe to remove zmswatch ? it is not part of zimbra ?
Thanks
If you have 8.8.12 without patches you're at risk, so "No our server was not compromised" is not correct)))) Also it could be that you were attacked before update to 8.8.12.
Pls follow the link from my second message to see all the details and to make additional steps as patching itself won't resolve the problem fully now.
Last edited by MaySky on Tue May 28, 2019 7:55 pm, edited 3 times in total.
Re: error uploading file
Thank you all for your replies
We are patching the server and starting the cleaning process
We are patching the server and starting the cleaning process