Server is hacked??

[edtricklam]

One of user account is hacked and spam out last week. We already changed his password and clean up all spam mail. We monitor 3 days.
But today we found in server audit log. its quit strange that someone to use localhost / own internal IP connect to admin console. Although its auth failed, we wonder whether our server have problems.
log details:-
2018-11-05 22:20:03,148 INFO [qtp509886383-511:https://127.0.0.1:7071/service/admin/soap/AuthRequest] [name=zimbra;ip=127.0.0.1;ua=zmpro v/8.6.0_GA_1153;] security - cmd=AdminAuth; account=zimbra;
2018-11-05 22:20:03,157 INFO [qtp509886383-511:https://127.0.0.1:7071/service/admin/soap/AuthRequest] [name=zimbra;ip=127.0.0.1;ua=zmpro v/8.6.0_GA_1153;] security - cmd=Auth; account=zimbra; protocol=soap;
2018-11-05 22:20:04,158 WARN [qtp509886383-510:https://192.168.x.x:7071/service/admin/soap/] [name=admin@xxx.com;ip=192.168.x.x;] security - cmd=Auth; account=admin@xxx.com; protocol=soap; error=authentication failed for [admin], invalid password;

Our server is Ubuntu 14.04 LTS Zimbra 8.6 . Server is in cloud server. it is only connect with another IMSVA server and firewall.

I don't know how to figure out the problems. how to trace [qtp509886383-510] , is not IP??
Any experienced user face this case?? any idea for me ??
Please help.

[Pronix]

Have you tried to get a list of login's trying from the zimbra.log? you can try this command: cat /var/log/zimbra.log | grep sasl_username > list

[edtricklam]

I tried cat /var/log/zimbra.log | grep sasl_username > list.
but nothing display.

I found that zombie process, Is it a problem??

USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
zimbra 11131 0.0 0.0 0 0 ? Z Nov05 0:00 [sh] <defunct>
root@mail:~# pstree -p -s 11131
init(1)auditswatch(26753)perl(26757)sh(11131)
root@mail:~# ps -eaf |grep 26753
zimbra 26753 1 0 Oct29 ? 00:00:00 /usr/bin/perl /opt/zimbra/libexec/auditswatch --config-file=/opt/zimbra/conf/auditswatchrc --use-cpan-file-tail --script-dir=/opt/zimbra/data/tmp --tail-file /opt/zimbra/log/audit.log
zimbra 26757 26753 0 Oct29 ? 00:06:33 /usr/bin/perl /opt/zimbra/data/tmp/.swatch_script.26753

But it seems zimbra process..... I am not sure.

[edtricklam]

Still can not find out what problems??
Today, it tried to login until admin account is lockout.

2018-11-13 07:46:09,023 WARN [qtp509886383-67832:https://192.168.0.2:7071/service/admin/soap/] [name=admin@nexusxxxx.com;ip=192.168.0.2;] security - cmd=Auth; account=admin@nexusxxxx.com; protocol=soap; error=authentication failed for [admin], account lockout;

Any tools I can use to scan whether my zimbra getting hack???

[DualBoot]

Hello,

it looks like you have been brute forced. In this case not only SMTP authentification could have been targeted, so
you must look in the /opt/zimbra/log/audit.log to see if there are some trails.
You can use fail2ban to stop this kind of attack.

Regards,