New admin account created automatically

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
thameera
Posts: 41
Joined: Sat Sep 13, 2014 3:21 am

New admin account created automatically

Post by thameera »

Hi All,

Today I saw our mail server have unusual Admin accounts created. I checked audit log and found below. I want to know under what user this account created. Server detail - Ubuntu 14.04/ZCS 8.7.11.

Does anyone had this issue? Please help me to investigate this issue.
2019-08-13 20:23:35,878 INFO [qtp1798286609-1145993:http://10.0.10.1:88/service/soap] [name=zimbra;ip=10.0.10.1;port=60393;ua=ZimbraWebClient - SAF3 (Win)/5.0.15_GA_2851.RHEL5_64;] security - cmd=Auth; account=zimbra; protocol=soap;
2019-08-13 20:23:36,342 INFO [qtp1798286609-1145999:https:https://127.0.0.1:7071/service/admin/soap] [name=zimbra;ua=ZimbraWebClient - SAF3 (Win)/5.0.15_GA_2851.RHEL5_64;] security - cmd=AdminAuth; account=zimbra;
2019-08-13 20:23:36,343 INFO [qtp1798286609-1145999:https:https://127.0.0.1:7071/service/admin/soap] [name=zimbra;ua=ZimbraWebClient - SAF3 (Win)/5.0.15_GA_2851.RHEL5_64;] security - cmd=Auth; account=zimbra; protocol=soap;
2019-08-13 20:23:38,477 INFO [qtp1798286609-1145804:https:https://127.0.0.1:7071/service/admin/soap] [name=zimbra;] security - cmd=CreateAccount; name=sagvzc@test.co.in;
2019-08-13 20:23:38,885 INFO [qtp1798286609-1145953:https:https://127.0.0.1:7071/service/admin/soap] [name=zimbra;] security - cmd=ModifyAccount; name=sagvzc@test.co.in; zimbraIsAdminAccount=TRUE;
2019-08-13 20:23:39,527 INFO [qtp1798286609-1145993:http://10.0.10.1:88/downloads/FMTn.jsp] [] security - cmd=Auth; account=sagvzc@test.co.in; protocol=http_basic;
2019-08-13 20:23:59,993 INFO [qtp1798286609-1146015:http://10.0.10.1:88/service/soap] [name=zimbra;ip=10.0.10.1;port=60435;ua=ZimbraWebClient - SAF3 (Win)/5.0.15_GA_2851.RHEL5_64;] security - cmd=Auth; account=zimbra; protocol=soap;
2019-08-13 20:24:00,419 INFO [qtp1798286609-1145999:https:https://127.0.0.1:7071/service/admin/soap] [name=zimbra;ua=ZimbraWebClient - SAF3 (Win)/5.0.15_GA_2851.RHEL5_64;] security - cmd=AdminAuth; account=zimbra;
2019-08-13 20:24:00,421 INFO [qtp1798286609-1145999:https:https://127.0.0.1:7071/service/admin/soap] [name=zimbra;ua=ZimbraWebClient - SAF3 (Win)/5.0.15_GA_2851.RHEL5_64;] security - cmd=Auth; account=zimbra; protocol=soap;
2019-08-13 20:24:03,222 INFO [qtp1798286609-1146029:https:https://127.0.0.1:7071/service/admin/soap] [name=zimbra;] security - cmd=CreateAccount; name=1tqdvc@test.co.in;
2019-08-13 20:24:03,637 INFO [qtp1798286609-1146015:https:https://127.0.0.1:7071/service/admin/soap] [name=zimbra;] security - cmd=ModifyAccount; name=1tqdvc@test.co.in; zimbraIsAdminAccount=TRUE;
2019-08-13 20:24:04,032 INFO [qtp1798286609-1146028:http://10.0.10.1:88/downloads/Hyr7.jsp] [] security - cmd=Auth; account=1tqdvc@test.co.in; protocol=http_basic;
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: New admin account created automatically

Post by phoenix »

thameera wrote:Hi All,

Today I saw our mail server have unusual Admin accounts created. I checked audit log and found below. I want to know under what user this account created. Server detail - Ubuntu 14.04/ZCS 8.7.11.

Does anyone had this issue? Please help me to investigate this issue.
It sounds like your system has been hacked, I'd suggest you read all the forum threads on this topic.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
thameera
Posts: 41
Joined: Sat Sep 13, 2014 3:21 am

Re: New admin account created automatically

Post by thameera »

Hi,

I am trying to find the tread you mentioned. It would be great if you can give me few links on this topics. It would help me to prevent further issues.

Thanks
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: New admin account created automatically

Post by phoenix »

Take a look in this (Administrators) forum and the first post in the Topics section is what you need although I would have thought the word "exploited" in the title would have pointed you in the right direction.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
Post Reply