Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 23

Thread: [SOLVED] Spam Being Sent Thru Server - Help Needed!

  1. #11
    msf004 is offline Loyal Member
    Join Date
    Jul 2007
    Location
    St. Louis, MO
    Posts
    84
    Rep Power
    7

    Default

    Yes, I have been scanning "ps -ef" continually. The only things I find curious are the "/tmp/.swatch_script.19528" entries; however, from other posts that appears to be part of Zimbra - but I cannot say definitely.

    Here is the output from ps -eafwww


    UID PID PPID C STIME TTY TIME CMD
    root 1 0 0 Jul27 ? 00:00:02 init [3]
    root 2 1 0 Jul27 ? 00:00:10 [migration/0]
    root 3 1 0 Jul27 ? 00:00:00 [ksoftirqd/0]
    root 4 1 0 Jul27 ? 00:00:10 [migration/1]
    root 5 1 0 Jul27 ? 00:00:00 [ksoftirqd/1]
    root 6 1 0 Jul27 ? 00:00:00 [events/0]
    root 7 1 0 Jul27 ? 00:00:00 [events/1]
    root 8 6 0 Jul27 ? 00:00:00 [khelper]
    root 9 6 0 Jul27 ? 00:00:00 [kacpid]
    root 34 6 0 Jul27 ? 00:00:00 [kblockd/0]
    root 35 6 0 Jul27 ? 00:00:00 [kblockd/1]
    root 36 1 0 Jul27 ? 00:00:00 [khubd]
    root 56 6 0 Jul27 ? 00:00:00 [aio/0]
    root 57 6 0 Jul27 ? 00:00:00 [aio/1]
    root 55 1 0 Jul27 ? 00:01:12 [kswapd0]
    root 201 1 0 Jul27 ? 00:00:00 [kseriod]
    root 320 1 0 Jul27 ? 00:00:00 [scsi_eh_0]
    root 334 6 0 Jul27 ? 00:00:00 [ata/0]
    root 335 6 0 Jul27 ? 00:00:00 [ata/1]
    root 339 1 0 Jul27 ? 00:00:00 [scsi_eh_1]
    root 340 1 0 Jul27 ? 00:00:00 [scsi_eh_2]
    root 350 1 0 Jul27 ? 00:02:56 [kjournald]
    root 1629 1 0 Jul27 ? 00:00:00 udevd
    root 1914 6 0 Jul27 ? 00:00:00 [kauditd]
    root 1980 6 0 Jul27 ? 00:00:00 [kmirrord]
    root 2000 1 0 Jul27 ? 00:00:00 [kjournald]
    root 2597 1 0 Jul27 ? 00:01:55 syslogd -m 0
    root 2601 1 0 Jul27 ? 00:00:00 klogd -x
    root 2707 1 0 Jul27 ? 00:00:00 irqbalance
    rpc 2731 1 0 Jul27 ? 00:00:00 portmap
    root 2862 1 0 Jul27 ? 00:00:00 /usr/sbin/acpid
    root 2968 1 0 Jul27 ? 00:00:00 xinetd -stayalive -pidfile /var/run/xinetd.pid
    root 3004 1 0 Jul27 ? 00:00:00 gpm -m /dev/input/mice -t exps2
    canna 3046 1 0 Jul27 ? 00:00:00 /usr/sbin/cannaserver -syslog -u canna
    xfs 3087 1 0 Jul27 ? 00:00:00 xfs -droppriv -daemon
    root 3104 1 0 Jul27 ? 00:00:00 /usr/sbin/atd
    root 3223 1 0 Jul27 ? 00:00:00 /usr/bin/perl /usr/local/bin/ipalert_statd
    root 3228 1 0 Jul27 tty1 00:00:00 /sbin/mingetty tty1
    root 3229 1 0 Jul27 tty2 00:00:00 /sbin/mingetty tty2
    root 3230 1 0 Jul27 tty3 00:00:00 /sbin/mingetty tty3
    root 3231 1 0 Jul27 tty4 00:00:00 /sbin/mingetty tty4
    root 3232 1 0 Jul27 tty5 00:00:00 /sbin/mingetty tty5
    root 3233 1 0 Jul27 tty6 00:00:00 /sbin/mingetty tty6
    root 3234 1 0 Jul27 ttyS0 00:00:00 /sbin/mingetty ttyS0 CON9600 vt102
    root 4903 1 0 Jul28 ? 00:00:00 rhnsd --interval 240
    rpcuser 20578 1 0 Jul28 ? 00:00:00 rpc.statd
    root 22097 1 0 Jul28 ? 00:00:00 [krfcommd]
    dbus 22162 1 0 Jul28 ? 00:00:00 dbus-daemon-1 --system
    root 22284 1 0 Jul28 ? 00:00:00 hald
    htt 22411 1 0 Jul28 ? 00:00:00 /usr/sbin/htt -retryonerror 0
    htt 22412 22411 0 Jul28 ? 00:00:00 htt_server -nodaemon
    root 22531 1 0 Jul28 ? 00:00:00 rpc.idmapd
    root 22591 1 0 Jul28 ? 00:00:21 /usr/sbin/sshd
    root 22669 1 0 Jul28 ? 00:00:02 crond
    root 23103 1 0 Jul28 ? 00:00:00 sh -c /usr/bin/perl -Iblib/lib -Iblib/arch -I/usr/lib/perl5/5.8.5/i386-linux-thread-multi -I/usr/lib/perl5/5.8.5 -I/usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi -I/usr/lib/perl5/site_perl/5.8.4/i386-linux-thread-multi -I/usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi -I/usr/lib/perl5/site_perl/5.8.2/i386-linux-thread-multi -I/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi -I/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi -I/usr/lib/perl5/site_perl/5.8.5 -I/usr/lib/perl5/site_perl/5.8.4 -I/usr/lib/perl5/site_perl/5.8.3 -I/usr/lib/perl5/site_perl/5.8.2 -I/usr/lib/perl5/site_perl/5.8.1 -I/usr/lib/perl5/site_perl/5.8.0 -I/usr/lib/perl5/site_perl -I/usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi -I/usr/lib/perl5/vendor_perl/5.8.4/i386-linux-thread-multi -I/usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi -I/usr/lib/perl5/vendor_perl/5.8.2/i386-linux-thread-multi -I/usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi -I/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi -I/usr/lib/perl5/vendor_perl/5.8.5 -I/usr/lib/perl5/vendor_perl/5.8.4 -I/usr/lib/perl5/vendor_perl/5.8.3 -I/usr/lib/perl5/vendor_perl/5.8.2 -I/usr/lib/perl5/vendor_perl/5.8.1 -I/usr/lib/perl5/vendor_perl/5.8.0 -I/usr/lib/perl5/vendor_perl -I. examples/sslecho.pl 1212 examples/cert.pem examples/key.pem >>sslecho.log 2>&1
    root 23104 23103 0 Jul28 ? 00:00:00 /usr/bin/perl -Iblib/lib -Iblib/arch -I/usr/lib/perl5/5.8.5/i386-linux-thread-multi -I/usr/lib/perl5/5.8.5 -I/usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi -I/usr/lib/perl5/site_perl/5.8.4/i386-linux-thread-multi -I/usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi -I/usr/lib/perl5/site_perl/5.8.2/i386-linux-thread-multi -I/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi -I/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi -I/usr/lib/perl5/site_perl/5.8.5 -I/usr/lib/perl5/site_perl/5.8.4 -I/usr/lib/perl5/site_perl/5.8.3 -I/usr/lib/perl5/site_perl/5.8.2 -I/usr/lib/perl5/site_perl/5.8.1 -I/usr/lib/perl5/site_perl/5.8.0 -I/usr/lib/perl5/site_perl -I/usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi -I/usr/lib/perl5/vendor_perl/5.8.4/i386-linux-thread-multi -I/usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi -I/usr/lib/perl5/vendor_perl/5.8.2/i386-linux-thread-multi -I/usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi -I/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi -I/usr/lib/perl5/vendor_perl/5.8.5 -I/usr/lib/perl5/vendor_perl/5.8.4 -I/usr/lib/perl5/vendor_perl/5.8.3 -I/usr/lib/perl5/vendor_perl/5.8.2 -I/usr/lib/perl5/vendor_perl/5.8.1 -I/usr/lib/perl5/vendor_perl/5.8.0 -I/usr/lib/perl5/vendor_perl -I. examples/sslecho.pl 1212 examples/cert.pem examples/key.pem
    root 3730 1 0 Aug02 ? 00:00:03 /usr/sbin/httpd
    zimbra 19528 1 0 Aug02 ? 00:00:00 /usr/bin/perl /opt/zimbra/libexec/logswatch --config-file=/opt/zimbra/conf/logswatchrc --use-cpan-file-tail --script-dir=/tmp -t /var/log/zimbra.log
    root 13023 6 0 Aug05 ? 00:00:09 [pdflush]
    root 13031 6 0 Aug05 ? 00:00:00 [pdflush]
    zimbra 13885 19528 0 Aug11 ? 00:00:31 /usr/bin/perl /tmp/.swatch_script.19528
    zimbra 13928 13885 0 Aug11 ? 00:04:40 /usr/bin/perl /opt/zimbra/libexec/zmlogger
    zimbra 26236 1 0 Aug12 ? 00:00:00 /usr/bin/perl /opt/zimbra/libexec/logswatch --config-file=/opt/zimbra/conf/logswatchrc --use-cpan-file-tail --script-dir=/tmp -t /var/log/zimbra.log
    zimbra 26278 26236 0 Aug21 ? 00:00:13 /usr/bin/perl /tmp/.swatch_script.26236
    zimbra 26303 26278 0 Aug21 ? 00:01:31 /usr/bin/perl /opt/zimbra/libexec/zmlogger
    root 21034 1 0 Aug23 ? 00:00:00 cupsd
    root 29445 22591 0 Aug23 ? 00:00:00 sshd: marcsf [priv]
    marcsf 29447 29445 0 Aug23 ? 00:00:00 sshd: marcsf@pts/3
    marcsf 29448 29447 0 Aug23 pts/3 00:00:00 -bash
    root 29846 29448 0 Aug23 pts/3 00:00:00 su -
    root 29848 29846 0 Aug23 pts/3 00:00:00 -bash
    zimbra 4001 1 0 00:02 ? 00:00:11 /opt/zimbra/openldap/libexec/slapd -l LOCAL0 -4 -u zimbra -h ldap://server.domain.net:389 -f /opt/zimbra/conf/slapd.conf
    zimbra 4400 1 0 00:02 ? 00:00:00 /bin/sh /opt/zimbra/logger/mysql/bin/mysqld_safe --defaults-file=/opt/zimbra/conf/my.logger.cnf --ledir=/opt/zimbra/logger/mysql/libexec
    zimbra 4468 4400 0 00:02 ? 00:01:35 /opt/zimbra/logger/mysql/libexec/mysqld --defaults-file=/opt/zimbra/conf/my.logger.cnf --basedir=/opt/zimbra/logger/mysql --datadir=/opt/zimbra/logger/db/data --pid-file=/opt/zimbra/logger/db/mysql.pid --skip-external-locking --port=7307 --socket=/opt/zimbra/logger/db/mysql.sock
    zimbra 4469 1 0 00:02 ? 00:00:00 /usr/bin/perl /opt/zimbra/libexec/logswatch --config-file=/opt/zimbra/conf/logswatchrc --use-cpan-file-tail --script-dir=/tmp -t /var/log/zimbra.log
    zimbra 4883 1 0 00:03 ? 00:00:18 /usr/bin/perl /opt/zimbra/libexec/zmmtaconfig
    zimbra 4906 1 0 00:03 ? 00:00:00 /bin/sh /opt/zimbra/mysql/bin/mysqld_safe --defaults-file=/opt/zimbra/conf/my.cnf --ledir=/opt/zimbra/mysql/libexec
    zimbra 4978 1 0 00:03 ? 00:00:00 /usr/bin/perl -w /opt/zimbra/libexec/zmconvertdmon -c /opt/zimbra/libexec/zmconvertd
    zimbra 5012 4906 0 00:03 ? 00:00:14 /opt/zimbra/mysql/libexec/mysqld --defaults-file=/opt/zimbra/conf/my.cnf --basedir=/opt/zimbra/mysql --datadir=/opt/zimbra/db/data --pid-file=/opt/zimbra/db/mysql.pid --skip-external-locking --port=7306 --socket=/opt/zimbra/db/mysql.sock
    zimbra 5169 1 0 00:03 ? 00:00:04 /opt/zimbra/java/bin/java -client -Xmx256m -Dzimbra.home=/opt/zimbra -Djava.library.path=/opt/zimbra/lib -Djava.ext.dirs=/opt/zimbra/java/jre/lib/ext:/opt/zimbra/lib/jars:/opt/zimbra/lib/ext:/opt/zimbra/lib/ext/backup:/opt/zimbra/lib/ext/clamscanner:/opt/zimbra/lib/ext/network:/opt/zimbra/lib/ext/zimbra-license:/opt/zimbra/lib/ext/zimbrahsm:/opt/zimbra/lib/ext/zimbrasync -Djava.awt.headless=true -Djava.library.path=/opt/zimbra/verity/FilterSDK/bin:/opt/zimbra/verity/ExportSDK/bin com.zimbra.cs.convertd.TransformationServer
    root 5726 1 0 00:03 ? 00:00:00 /opt/zimbra/libexec/zmtomcatmgr start -Xms806m -Xmx806m -client -XX:NewRatio=2 -Djava.awt.headless=true
    zimbra 5727 5726 0 00:03 ? 00:00:45 /opt/zimbra/jdk1.5.0_08/bin/java -Xms806m -Xmx806m -client -XX:NewRatio=2 -Djava.awt.headless=true -Dcatalina.base=/opt/zimbra/apache-tomcat-5.5.15 -Dcatalina.home=/opt/zimbra/apache-tomcat-5.5.15 -Djava.io.tmpdir=/opt/zimbra/apache-tomcat-5.5.15/temp -Djava.library.path=/opt/zimbra/lib -Djava.endorsed.dirs=/opt/zimbra/apache-tomcat-5.5.15/common/endorsed -classpath /opt/zimbra/apache-tomcat-5.5.15/bin/bootstrap.jar:/opt/zimbra/apache-tomcat-5.5.15/bin/commons-logging-api.jar:/opt/zimbra/lib/jars/zimbra-launcher.jar com.zimbra.cs.launcher.TomcatLauncher
    zimbra 5973 1 0 00:03 ? 00:00:00 /usr/bin/perl /opt/zimbra/libexec/swatch --config-file=/opt/zimbra/conf/swatchrc --use-cpan-file-tail --script-dir=/tmp -t /var/log/zimbra.log
    zimbra 6016 1 1 00:03 ? 00:06:25 /opt/zimbra/clamav/sbin/clamd --config-file /opt/zimbra/conf/clamd.conf
    zimbra 6017 1 0 00:03 ? 00:00:00 /opt/zimbra/clamav/bin/freshclam --config-file=/opt/zimbra/conf/freshclam.conf -d --checks=12
    zimbra 6019 1 0 00:03 ? 00:00:00 /opt/zimbra/httpd-2.0.54/bin/httpd -k start -f /opt/zimbra/conf/httpd.conf
    zimbra 6021 6019 0 00:03 ? 00:00:00 /opt/zimbra/httpd-2.0.54/bin/httpd -k start -f /opt/zimbra/conf/httpd.conf
    zimbra 6022 6019 0 00:03 ? 00:00:00 /opt/zimbra/httpd-2.0.54/bin/httpd -k start -f /opt/zimbra/conf/httpd.conf
    zimbra 6023 6019 0 00:03 ? 00:00:00 /opt/zimbra/httpd-2.0.54/bin/httpd -k start -f /opt/zimbra/conf/httpd.conf
    zimbra 6025 6019 0 00:03 ? 00:00:00 /opt/zimbra/httpd-2.0.54/bin/httpd -k start -f /opt/zimbra/conf/httpd.conf
    zimbra 6026 6019 0 00:03 ? 00:00:00 /opt/zimbra/httpd-2.0.54/bin/httpd -k start -f /opt/zimbra/conf/httpd.conf
    root 6160 1 0 00:03 ? 00:00:05 /opt/zimbra/postfix-2.2.9/libexec/master
    postfix 6169 6160 0 00:03 ? 00:00:00 qmgr -l -t fifo -u
    zimbra 6208 1 0 00:03 ? 00:00:00 /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/sbin/saslauthd -r -a zimbra
    zimbra 6219 6208 0 00:03 ? 00:00:00 /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/sbin/saslauthd -r -a zimbra
    zimbra 6220 6208 0 00:03 ? 00:00:00 /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/sbin/saslauthd -r -a zimbra
    zimbra 6222 6208 0 00:03 ? 00:00:00 /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/sbin/saslauthd -r -a zimbra
    zimbra 6223 6208 0 00:03 ? 00:00:00 /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/sbin/saslauthd -r -a zimbra
    zimbra 6239 1 0 00:03 ? 00:00:00 amavisd (master)
    postfix 6255 6160 0 00:03 ? 00:00:00 tlsmgr -l -t unix -u
    postfix 7146 6160 0 00:06 ? 00:00:01 anvil -l -t unix -u
    apache 31560 3730 0 01:13 ? 00:00:00 /usr/sbin/httpd
    apache 31561 3730 0 01:13 ? 00:00:00 /usr/sbin/httpd
    apache 31562 3730 0 01:13 ? 00:00:00 /usr/sbin/httpd
    apache 31563 3730 0 01:13 ? 00:00:00 /usr/sbin/httpd
    apache 31564 3730 0 01:13 ? 00:00:00 /usr/sbin/httpd
    apache 31565 3730 0 01:13 ? 00:00:00 /usr/sbin/httpd
    apache 31566 3730 0 01:13 ? 00:00:00 /usr/sbin/httpd
    apache 31567 3730 0 01:13 ? 00:00:00 /usr/sbin/httpd
    postfix 8320 6160 0 03:43 ? 00:00:04 trivial-rewrite -n rewrite -t unix -u
    zimbra 12596 5973 0 04:03 ? 00:00:00 /usr/bin/perl /tmp/.swatch_script.5973
    zimbra 12597 4469 0 04:03 ? 00:00:00 /usr/bin/perl /tmp/.swatch_script.4469
    zimbra 12612 12597 0 04:03 ? 00:00:08 /usr/bin/perl /opt/zimbra/libexec/zmlogger
    apache 29625 3730 0 06:45 ? 00:00:00 /usr/sbin/httpd
    apache 29626 3730 0 06:45 ? 00:00:00 /usr/sbin/httpd
    apache 29627 3730 0 06:45 ? 00:00:00 /usr/sbin/httpd
    apache 29826 3730 0 06:46 ? 00:00:00 /usr/sbin/httpd
    zimbra 25488 6239 0 08:10 ? 00:00:02 amavisd (ch9-avail)
    zimbra 27672 6239 0 08:21 ? 00:00:01 amavisd (ch7-avail)
    zimbra 28647 6239 0 08:27 ? 00:00:01 amavisd (ch7-avail)
    zimbra 28655 6239 0 08:27 ? 00:00:02 amavisd (ch8-avail)
    zimbra 13917 6239 0 09:24 ? 00:00:01 amavisd (ch5-avail)
    zimbra 20252 6239 0 09:56 ? 00:00:00 amavisd (ch3-avail)
    root 20347 29848 0 09:56 pts/3 00:00:00 tail -f zimbra.log
    root 20348 29848 0 09:56 pts/3 00:00:00 grep nrcpt
    postfix 21611 6160 0 10:03 ? 00:00:00 pickup -l -t fifo -u
    zimbra 29235 6239 0 10:13 ? 00:00:00 amavisd (ch2-avail)
    zimbra 29615 6239 0 10:14 ? 00:00:00 amavisd (ch3-avail)
    zimbra 29834 6239 0 10:16 ? 00:00:01 amavisd (ch2-avail)
    apache 30018 3730 0 10:17 ? 00:00:00 /usr/sbin/httpd
    apache 30019 3730 0 10:17 ? 00:00:00 /usr/sbin/httpd
    postfix 30868 6160 0 10:21 ? 00:00:00 smtpd -n smtp -t inet -u
    postfix 31264 6160 0 10:22 ? 00:00:00 smtpd -n smtp -t inet -u
    postfix 31270 6160 0 10:23 ? 00:00:00 smtpd -n smtp -t inet -u
    zimbra 31475 6239 0 10:24 ? 00:00:00 amavisd (virgin child)
    postfix 31661 6160 0 10:25 ? 00:00:00 smtpd -n smtp -t inet -u
    postfix 31864 6160 0 10:26 ? 00:00:00 smtpd -n smtp -t inet -u
    postfix 32037 6160 0 10:27 ? 00:00:00 smtpd -n smtp -t inet -u
    postfix 32040 6160 0 10:27 ? 00:00:00 cleanup -z -t unix -u
    postfix 32041 6160 0 10:27 ? 00:00:00 smtp -n smtp-amavis -t unix -u -o smtp_data_done_timeout 1200 -o smtp_send_xforward_command yes -o disable_dns_lookups yes -o max_use 20
    postfix 32044 6160 0 10:27 ? 00:00:00 smtpd -n 127.0.0.1:10025 -t inet -u -o content_filter -o local_recipient_maps -o virtual_mailbox_maps -o virtual_alias_maps -o relay_recipient_maps -o smtpd_restriction_classes -o smtpd_delay_reject no -o smtpd_client_restrictions permit_mynetworks,reject -o smtpd_helo_restrictions -o smtpd_sender_restrictions -o smtpd_recipient_restrictions permit_mynetworks,reject -o mynetworks_style host -o mynetworks 127.0.0.0/8 -o strict_rfc821_envelopes yes -o smtpd_error_sleep_time 0 -o smtpd_soft_error_limit 1001 -o smtpd_hard_error_limit 1000 -o smtpd_client_connection_count_limit 0 -o smtpd_client_connection_rate_limit 0 -o receive_override_options no_header_body_checks,no_unknown_recipient_checks, no_address_mappings
    zimbra 32049 5169 0 10:27 ? 00:00:00 /opt/zimbra/verity/FilterSDK/bin/kvoop 9 12 0
    zimbra 32050 5169 0 10:27 ? 00:00:00 /opt/zimbra/verity/FilterSDK/bin/kvoop 9 14 0
    postfix 32434 6160 0 10:29 ? 00:00:00 lmtp -t unix -u
    zimbra 32439 5169 0 10:29 ? 00:00:00 /opt/zimbra/verity/FilterSDK/bin/kvoop 9 16 0
    zimbra 32440 5169 0 10:29 ? 00:00:00 /opt/zimbra/verity/FilterSDK/bin/kvoop 9 18 0
    zimbra 32444 5169 0 10:29 ? 00:00:00 /opt/zimbra/verity/FilterSDK/bin/kvoop 9 20 0
    zimbra 32445 5169 0 10:29 ? 00:00:00 /opt/zimbra/verity/FilterSDK/bin/kvoop 9 22 0
    zimbra 463 694 0 10:31 pts/4 00:00:00 ps -eafwww

  2. #12
    mdeneen is offline Active Member
    Join Date
    Jul 2007
    Posts
    45
    Rep Power
    7

    Default

    Nothing jumps out at me there.

    Have you looked in /opt/zimbra/tomcat/logs/access_log.2007-08-24 ?

    Match them up with the timestamps of the spam, and you will see if it comes through webmail or somewhere else.

    Mark

  3. #13
    p24t is offline Moderator
    Join Date
    Mar 2007
    Location
    Austin
    Posts
    441
    Rep Power
    8

    Default

    If you're getting mail sent from unrelated accounts, and from disabled accounts, have you tried changing any admin passwords? Perhaps someone is getting in through the View Mail option.

    If you're worried about the system being compromised, try looking at lastlog to see if any accounts that shouldn't have been logged in have been, or from a strange location.

  4. #14
    fajarpri's Avatar
    fajarpri is offline Loyal Member
    Join Date
    Jul 2007
    Posts
    98
    Rep Power
    7

    Default

    Ok.. getting more interesting.
    1. This is a long shot, but it could be you enable 'clear text' authentication? Someone could be sniffing your network for username and password.
    2. Download and run rkhunter in your server to check for any breaking attempts/backdoors.

  5. #15
    msf004 is offline Loyal Member
    Join Date
    Jul 2007
    Location
    St. Louis, MO
    Posts
    84
    Rep Power
    7

    Default

    fajarpl - First, thanks for recommending rkhunter. That is a nice tool to have around. I have never used it in the past.

    However, it found nothing because SSH v1 login is currently allowed by the system - which I changed.

    I did have clear text login allowed. So I guess the sniffer is a possibility; however, the person with the sniffer would have to be outside of our physical LAN and on the Internet somewhere - to the best of my knowledge. I say that because we have a dedicated 6mbps/1mbps line coming from the CO into our office - and there are only two of us in the office. I say dedicated because it is one of those lines that do not require telephone service (it doesn't ride the primary pair).

  6. #16
    mmorse's Avatar
    mmorse is offline Moderator
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    20

    Default

    The question is why aren't you analyzing tcpdumps on your RHEL box?
    Heck even run wireshark (used to be ethereal) on her pc...

  7. #17
    fajarpri's Avatar
    fajarpri is offline Loyal Member
    Join Date
    Jul 2007
    Posts
    98
    Rep Power
    7

    Default

    mmorse is right.
    By analyzing the connection on her pc, we can make sure if there's an authorized connection coming into/going out her pc.
    And also the fact that two more of your users being used for sending spam.

    Is there any special need you want to enable clear text authentication? Because by default, zimbra disable it.

  8. #18
    fajarpri's Avatar
    fajarpri is offline Loyal Member
    Join Date
    Jul 2007
    Posts
    98
    Rep Power
    7

    Default

    What is the status of this issue?
    What is the real cause of it?

  9. #19
    msf004 is offline Loyal Member
    Join Date
    Jul 2007
    Location
    St. Louis, MO
    Posts
    84
    Rep Power
    7

    Default Good Question

    The status and cause of this is a good question. I could never find anything in log files or otherwise. After further review, it did only happen to one account, not two like I originally thought. As I stated, that account literally does have the emails in their sent items with all recipients now in their address book. So the email was definitely sent through Zimbra. The individual DOES NOT use a Zimbra connectors, the indivudal uses a Mac, not a Windows PC, I could not find anything running on the Mac which was unusual, the user had a secured password, and I have not seen anymore instances of emails being sent. There has not been anymore problems.

    However, I was concerned enough with the incident that I ended up opening a Zimbra support ticket for assistance. I received one reply from a Zimbra employee asking for log files and more information, to which I responded; however, I have not heard back from Zimbra since then, and I have even followed-up a few times.

    Right now I am mostly concerned if this is going to cost me a support ticket being I opened a support ticket through Zimbra for assistance. I say this because, I have not received any support. I would be paying for something that didn't happen.

  10. #20
    mmorse's Avatar
    mmorse is offline Moderator
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    20

    Default

    After further logfile examination it turns out that someone was attempting access to his administrator user.
    /forums/administrators/11293-admin-password-not-working.html
    -While we can't say with 100% certainty at this point that it was the exact same person as the one causing the spam sending of this thread, I am 'solving' this thread.
    (You can certainly continue to post replies, as it's always good to learn for security sake. However, those reading the title will know that you don't need immediate help anymore)

    msf004,
    If your still concerned about a 'lost' support ticket for the issue, add your comments to the current open ticket and they can consider it for review.

    However generally, as the forums & actual zimbra support are separate, plus the fact that you felt the issue critical enough to open a ticket: "I was concerned enough with the incident that I ended up opening a Zimbra support ticket for assistance." there's really not much you can do.

    But, if the same issue comes up relatively soon again, and this current ticket has already been closed, have them reopen the existing ticket rather than using up another.

    If you examine all your logs and find that it was just the same person in your most recent 'admin account locked', and that you have solved it on your own, please let them know as well so they don't waste support resources analyzing hundreds of lines, when they could be helping others
    A list of pertinent logfiles and their functions can be found here: /docs/ne/latest/administration_guide/9_Monitoring.12.1.html#1075561

    You can also request that they examine your zcs/system setup for the possibility of any other open holes.

Page 2 of 3 FirstFirst 123 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. initializing ldap...FAILED(256)ERROR
    By manjunath in forum Installation
    Replies: 39
    Last Post: 06-07-2013, 10:27 AM
  2. Zimbra fails after working for 2 weeks
    By Linsys in forum Administrators
    Replies: 10
    Last Post: 10-07-2008, 12:42 AM
  3. need advice on configuring zimbra to work with fax server
    By pheonix1t in forum Administrators
    Replies: 0
    Last Post: 07-11-2007, 07:46 PM
  4. Error 256 on Installation
    By RuinExplorer in forum Installation
    Replies: 5
    Last Post: 10-19-2006, 09:19 AM
  5. Installation Problem
    By AnilKumarYalla in forum Developers
    Replies: 4
    Last Post: 09-22-2006, 06:19 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •