Zimbra 8.6.0 Opendkim stop running few minutes after restart

[morshed-amberit]

I am facing exactly same problem. opendkim and memcache service is not running. after reboot the unit it has worked for around 1 minutes and then get automatically down. my version is elease 8.8.12.GA.3794.UBUNTU14.64 UBUNTU14_64 FOSS edition, Patch 8.8.12_P1 proxy. I updated it from 8.7.11 to 8.8.12 by rolling up-gradation process. still facing same problem.


opendkim changed from running to stopped
memcached changed from running to stopped

zimbra@mail:/root$ zmopendkimctl start
/opt/zimbra/bin/zmopendkimctl: line 54: kill: (24444) - No such process
Killed
zimbra@mail:/root$ zmmemcachedctl start
Killed

no solution find yet.

[virento]

I have clients running the latest 8.8.12 release and they are experiencing the same issues with the memcached/opendkim services staying up. Upon further investigation of the /var/log/zimbra.log file, it appears that the zimbra crontab is being listed every few seconds and then being replaced like once a minute. I also noticed that those services seem to go down around the top of the hour which is why I think the two are connected. Obviously there is a rogue process updating the crontab so I used chattr +i in an attempt to stop it from being changed while a more permanently solution is applied. Not sure if this is helping or not but time will tell.

[phoenix]

I have clients running the latest 8.8.12 release and they are experiencing the same issues with the memcached/opendkim services staying up. Upon further investigation of the /var/log/zimbra.log file, it appears that the zimbra crontab is being listed every few seconds and then being replaced like once a minute. I also noticed that those services seem to go down around the top of the hour which is why I think the two are connected. Obviously there is a rogue process updating the crontab so I used chattr +i in an attempt to stop it from being changed while a more permanently solution is applied. Not sure if this is helping or not but time will tell.

Have you checked if your server has been hacked? There's a thread on the subject here: viewtopic.php?f=15&t=65932

[virento]

Yes, I know about the exploit and I know this is likely related.

I looked through the zimbra user's crontab and found another suspicious entry to execute at the top of the hour which doesn't appear to be legit as shown below:

*/60 * * * * /opt/zimbra/bin/zmgsaupdate

This was found in the middle of the crontab and not at the end like the others so you'll want to sweep your crontab closely. I used chattr -i just prior to commenting out the offending crontab line and then used chattr +i immediately after to prevent it from being updated again.

I've rebooted the server since then and so far so good as it's been 1 1/2hrs now without an issue.

[virento]

Just wanted to updated this thread and let everyone know that the changes I made were successful in keeping the services online. Apparently the process being kicked off in the crontab was running in the background and killing any process with the name 'memcache' in it (i couldnt even less the file without it being killed) which would explain the recent behavior.

To find the rogue process, kill all of the zimbra processes by executing 'zmcontrol stop' as the zimbra user then search for processes still running as the zimbra user using 'ps auxf' then kill them as needed.

Hope that helps and obviously the permanent solution is patching the system fully. I also had port 443 blocked while doing this cleanup to prevent remote reinfections as suggested in the other thread.

[hgmartino]

Update,
my server using Ubuntu 14.04. I try to update and upgrade the Ubuntu memchaced and stats running well but opendikm service stopped again after few minutes
Need help soon for this matter

[phoenix]

Update,
my server using Ubuntu 14.04. I try to update and upgrade the Ubuntu memchaced and stats running well but opendikm service stopped again after few minutes
Need help soon for this matter

Read the posts immediately above yours for an answer.

[morshed-amberit]

Hi,
According to the above post I find a new cronjob. remove the cronjob.
su zimbra
crontab -e
*/10 * * * * /opt/zimbra/bin/zmgsaupdate

Then, perfrom chattr to lock the script zmgsaupdate

su -zimbra
cd /opt/
echo >zmgsaupdate
chattr +i zmgsaupdate

reboot the unit. it is working for my case.

[hgmartino]

Yes, I know about the exploit and I know this is likely related.

I looked through the zimbra user's crontab and found another suspicious entry to execute at the top of the hour which doesn't appear to be legit as shown below:

*/60 * * * * /opt/zimbra/bin/zmgsaupdate

This was found in the middle of the crontab and not at the end like the others so you'll want to sweep your crontab closely. I used chattr -i just prior to commenting out the offending crontab line and then used chattr +i immediately after to prevent it from being updated again.

I've rebooted the server since then and so far so good as it's been 1 1/2hrs now without an issue.

Hi Virento. would you explain the details how to do it?i am newbie at linux at all

[djm4x]

Hello,

In my case I didn't have the entry

*/10 * * * * /opt/zimbra/bin/zmgsaupdate

in crontab and dind't find any process from zimbra with services down

search for processes still running as the zimbra user using 'ps auxf' then kill them as needed

But I've found in the foder of crontabs one supspicius file with the name tmp.Er5es that contain the contrab info but with some lines deleted.

I've blocked contrabs folder, rebuild the zimbra contrab, chattr +i the file and reboot zimbra services.

Let's see if it worked, 2 hours up!

Thanks for the help!