Zimbra Forums

Updating.... I tried to delete and chattr +i suspect file, it still automatic create other suspect file in /opt/zimbra/libexec. Example file: zmtrainsa , zmmysqlstatus, zmjavaext, zmldappasswd, zmloggerctl (latest one) and then in ps -eaf |grep zm , you will see zimbra 782 781 0 06:49 ? 00:00:06 /us...

I fight with this problems over a months. It will automatic regenerate a file "zmcpustat, zmcpustarter, zmwatchdog...." in /opt/zimbra/log "zmiostat ....." in /var/tmp "zmreplchk, zmreplchk_pid...." in /tmp According to https://lorenzo.mile.si/zimbra-cve-2019-9670-being...

Still can not find out what problems?? Today, it tried to login until admin account is lockout. 2018-11-13 07:46:09,023 WARN [qtp509886383-67832:https://192.168.0.2:7071/service/admin/soap/] [name=admin@nexusxxxx.com;ip=192.168.0.2;] security - cmd=Auth; account=admin@nexusxxxx.com; protocol=soap; e...

I tried cat /var/log/zimbra.log | grep sasl_username > list. but nothing display. I found that zombie process, Is it a problem?? USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND zimbra 11131 0.0 0.0 0 0 ? Z Nov05 0:00 [sh] <defunct> root@mail:~# pstree -p -s 11131 init(1)auditswatch(26753)perl...

One of user account is hacked and spam out last week. We already changed his password and clean up all spam mail. We monitor 3 days. But today we found in server audit log. its quit strange that someone to use localhost / own internal IP connect to admin console. Although its auth failed, we wonder ...