New admin account created automatically

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
thameera
Posts: 40
Joined: Sat Sep 13, 2014 3:21 am

New admin account created automatically

Postby thameera » Mon Aug 19, 2019 5:54 am

Hi All,

Today I saw our mail server have unusual Admin accounts created. I checked audit log and found below. I want to know under what user this account created. Server detail - Ubuntu 14.04/ZCS 8.7.11.

Does anyone had this issue? Please help me to investigate this issue.

2019-08-13 20:23:35,878 INFO [qtp1798286609-1145993:http://10.0.10.1:88/service/soap] [name=zimbra;ip=10.0.10.1;port=60393;ua=ZimbraWebClient - SAF3 (Win)/5.0.15_GA_2851.RHEL5_64;] security - cmd=Auth; account=zimbra; protocol=soap;
2019-08-13 20:23:36,342 INFO [qtp1798286609-1145999:https:https://127.0.0.1:7071/service/admin/soap] [name=zimbra;ua=ZimbraWebClient - SAF3 (Win)/5.0.15_GA_2851.RHEL5_64;] security - cmd=AdminAuth; account=zimbra;
2019-08-13 20:23:36,343 INFO [qtp1798286609-1145999:https:https://127.0.0.1:7071/service/admin/soap] [name=zimbra;ua=ZimbraWebClient - SAF3 (Win)/5.0.15_GA_2851.RHEL5_64;] security - cmd=Auth; account=zimbra; protocol=soap;
2019-08-13 20:23:38,477 INFO [qtp1798286609-1145804:https:https://127.0.0.1:7071/service/admin/soap] [name=zimbra;] security - cmd=CreateAccount; name=sagvzc@test.co.in;
2019-08-13 20:23:38,885 INFO [qtp1798286609-1145953:https:https://127.0.0.1:7071/service/admin/soap] [name=zimbra;] security - cmd=ModifyAccount; name=sagvzc@test.co.in; zimbraIsAdminAccount=TRUE;
2019-08-13 20:23:39,527 INFO [qtp1798286609-1145993:http://10.0.10.1:88/downloads/FMTn.jsp] [] security - cmd=Auth; account=sagvzc@test.co.in; protocol=http_basic;
2019-08-13 20:23:59,993 INFO [qtp1798286609-1146015:http://10.0.10.1:88/service/soap] [name=zimbra;ip=10.0.10.1;port=60435;ua=ZimbraWebClient - SAF3 (Win)/5.0.15_GA_2851.RHEL5_64;] security - cmd=Auth; account=zimbra; protocol=soap;
2019-08-13 20:24:00,419 INFO [qtp1798286609-1145999:https:https://127.0.0.1:7071/service/admin/soap] [name=zimbra;ua=ZimbraWebClient - SAF3 (Win)/5.0.15_GA_2851.RHEL5_64;] security - cmd=AdminAuth; account=zimbra;
2019-08-13 20:24:00,421 INFO [qtp1798286609-1145999:https:https://127.0.0.1:7071/service/admin/soap] [name=zimbra;ua=ZimbraWebClient - SAF3 (Win)/5.0.15_GA_2851.RHEL5_64;] security - cmd=Auth; account=zimbra; protocol=soap;
2019-08-13 20:24:03,222 INFO [qtp1798286609-1146029:https:https://127.0.0.1:7071/service/admin/soap] [name=zimbra;] security - cmd=CreateAccount; name=1tqdvc@test.co.in;
2019-08-13 20:24:03,637 INFO [qtp1798286609-1146015:https:https://127.0.0.1:7071/service/admin/soap] [name=zimbra;] security - cmd=ModifyAccount; name=1tqdvc@test.co.in; zimbraIsAdminAccount=TRUE;
2019-08-13 20:24:04,032 INFO [qtp1798286609-1146028:http://10.0.10.1:88/downloads/Hyr7.jsp] [] security - cmd=Auth; account=1tqdvc@test.co.in; protocol=http_basic;


phoenix
Ambassador
Ambassador
Posts: 26285
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: New admin account created automatically

Postby phoenix » Mon Aug 19, 2019 5:59 am

thameera wrote:Hi All,

Today I saw our mail server have unusual Admin accounts created. I checked audit log and found below. I want to know under what user this account created. Server detail - Ubuntu 14.04/ZCS 8.7.11.

Does anyone had this issue? Please help me to investigate this issue.
It sounds like your system has been hacked, I'd suggest you read all the forum threads on this topic.
Regards

Bill

Rspamd: A high performance spamassassin replacement

If you'd like to see this implemented in a future version of ZCS then please vote on Bugzilla entries 97706 & 108168
thameera
Posts: 40
Joined: Sat Sep 13, 2014 3:21 am

Re: New admin account created automatically

Postby thameera » Mon Aug 19, 2019 6:17 am

Hi,

I am trying to find the tread you mentioned. It would be great if you can give me few links on this topics. It would help me to prevent further issues.

Thanks
phoenix
Ambassador
Ambassador
Posts: 26285
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: New admin account created automatically

Postby phoenix » Mon Aug 19, 2019 9:57 am

Take a look in this (Administrators) forum and the first post in the Topics section is what you need although I would have thought the word "exploited" in the title would have pointed you in the right direction.
Regards

Bill

Rspamd: A high performance spamassassin replacement

If you'd like to see this implemented in a future version of ZCS then please vote on Bugzilla entries 97706 & 108168

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 5 guests