Search found 5 matches
- Thu Aug 01, 2019 1:32 am
- Forum: Administrators
- Topic: CVE-2019-9670 being actively exploited (Hacked Server)
- Replies: 248
- Views: 631846
Re: CVE-2019-9670 being actively exploited
Updating.... I tried to delete and chattr +i suspect file, it still automatic create other suspect file in /opt/zimbra/libexec. Example file: zmtrainsa , zmmysqlstatus, zmjavaext, zmldappasswd, zmloggerctl (latest one) and then in ps -eaf |grep zm , you will see zimbra 782 781 0 06:49 ? 00:00:06 /us...
- Mon Jul 15, 2019 3:27 am
- Forum: Administrators
- Topic: CVE-2019-9670 being actively exploited (Hacked Server)
- Replies: 248
- Views: 631846
Re: CVE-2019-9670 being actively exploited
I fight with this problems over a months. It will automatic regenerate a file "zmcpustat, zmcpustarter, zmwatchdog...." in /opt/zimbra/log "zmiostat ....." in /var/tmp "zmreplchk, zmreplchk_pid...." in /tmp According to https://lorenzo.mile.si/zimbra-cve-2019-9670-being...
- Tue Nov 13, 2018 5:59 am
- Forum: Administrators
- Topic: Server is hacked??
- Replies: 4
- Views: 4245
Re: Server is hacked??
Still can not find out what problems?? Today, it tried to login until admin account is lockout. 2018-11-13 07:46:09,023 WARN [qtp509886383-67832:https://192.168.0.2:7071/service/admin/soap/] [name=admin@nexusxxxx.com;ip=192.168.0.2;] security - cmd=Auth; account=admin@nexusxxxx.com; protocol=soap; e...
- Tue Nov 06, 2018 1:50 am
- Forum: Administrators
- Topic: Server is hacked??
- Replies: 4
- Views: 4245
Re: Server is hacked??
I tried cat /var/log/zimbra.log | grep sasl_username > list. but nothing display. I found that zombie process, Is it a problem?? USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND zimbra 11131 0.0 0.0 0 0 ? Z Nov05 0:00 [sh] <defunct> root@mail:~# pstree -p -s 11131 init(1)auditswatch(26753)perl...
- Mon Nov 05, 2018 2:41 pm
- Forum: Administrators
- Topic: Server is hacked??
- Replies: 4
- Views: 4245
Server is hacked??
One of user account is hacked and spam out last week. We already changed his password and clean up all spam mail. We monitor 3 days. But today we found in server audit log. its quit strange that someone to use localhost / own internal IP connect to admin console. Although its auth failed, we wonder ...