Today I saw our mail server have unusual Admin accounts created. I checked audit log and found below. I want to know under what user this account created. Server detail - Ubuntu 14.04/ZCS 8.7.11.
Does anyone had this issue? Please help me to investigate this issue.
2019-08-13 20:23:35,878 INFO [qtp1798286609-1145993:http://10.0.10.1:88/service/soap] [name=zimbra;ip=10.0.10.1;port=60393;ua=ZimbraWebClient - SAF3 (Win)/5.0.15_GA_2851.RHEL5_64;] security - cmd=Auth; account=zimbra; protocol=soap;
2019-08-13 20:23:36,342 INFO [qtp1798286609-1145999:https:https://127.0.0.1:7071/service/admin/soap] [name=zimbra;ua=ZimbraWebClient - SAF3 (Win)/5.0.15_GA_2851.RHEL5_64;] security - cmd=AdminAuth; account=zimbra;
2019-08-13 20:23:36,343 INFO [qtp1798286609-1145999:https:https://127.0.0.1:7071/service/admin/soap] [name=zimbra;ua=ZimbraWebClient - SAF3 (Win)/5.0.15_GA_2851.RHEL5_64;] security - cmd=Auth; account=zimbra; protocol=soap;
2019-08-13 20:23:38,477 INFO [qtp1798286609-1145804:https:https://127.0.0.1:7071/service/admin/soap] [name=zimbra;] security - cmd=CreateAccount; name=sagvzc@test.co.in;
2019-08-13 20:23:38,885 INFO [qtp1798286609-1145953:https:https://127.0.0.1:7071/service/admin/soap] [name=zimbra;] security - cmd=ModifyAccount; name=sagvzc@test.co.in; zimbraIsAdminAccount=TRUE;
2019-08-13 20:23:39,527 INFO [qtp1798286609-1145993:http://10.0.10.1:88/downloads/FMTn.jsp] [] security - cmd=Auth; account=sagvzc@test.co.in; protocol=http_basic;
2019-08-13 20:23:59,993 INFO [qtp1798286609-1146015:http://10.0.10.1:88/service/soap] [name=zimbra;ip=10.0.10.1;port=60435;ua=ZimbraWebClient - SAF3 (Win)/5.0.15_GA_2851.RHEL5_64;] security - cmd=Auth; account=zimbra; protocol=soap;
2019-08-13 20:24:00,419 INFO [qtp1798286609-1145999:https:https://127.0.0.1:7071/service/admin/soap] [name=zimbra;ua=ZimbraWebClient - SAF3 (Win)/5.0.15_GA_2851.RHEL5_64;] security - cmd=AdminAuth; account=zimbra;
2019-08-13 20:24:00,421 INFO [qtp1798286609-1145999:https:https://127.0.0.1:7071/service/admin/soap] [name=zimbra;ua=ZimbraWebClient - SAF3 (Win)/5.0.15_GA_2851.RHEL5_64;] security - cmd=Auth; account=zimbra; protocol=soap;
2019-08-13 20:24:03,222 INFO [qtp1798286609-1146029:https:https://127.0.0.1:7071/service/admin/soap] [name=zimbra;] security - cmd=CreateAccount; name=1tqdvc@test.co.in;
2019-08-13 20:24:03,637 INFO [qtp1798286609-1146015:https:https://127.0.0.1:7071/service/admin/soap] [name=zimbra;] security - cmd=ModifyAccount; name=1tqdvc@test.co.in; zimbraIsAdminAccount=TRUE;
2019-08-13 20:24:04,032 INFO [qtp1798286609-1146028:http://10.0.10.1:88/downloads/Hyr7.jsp] [] security - cmd=Auth; account=1tqdvc@test.co.in; protocol=http_basic;