zimbra mail hacked

[extremal]

hello, i got tons of deffered emails from different domains.. someone was spamming via my mailserver or trying to spam... as a result my mailserver is blocked by several spamlists
how can I check who was that and how my server was accessed?? was zimbra hacked or it was os? how can I stop it?

[tgx]

If it was hacked it would probably have been due to a weak password, or
you have it as an open relay. Do you notice any particular account that the
email seems to be coming from? Look at the spam carefully, they may not have
used your server at all.

[extremal]

here's a part of logfile I have no idea of what are usbank-email.com and olympus.net and how they appeared here .. I tested my server .. looks it's not an open relay

DC1E749C0815: from=<U_S_BankAlerts.6tqrd7p6h.fpyk@cs.usbank-email.com>, size=6194, nrcpt=1 (queue active)
Dec 8 11:53:37 mail postfix/qmgr[5055]: D6C1049C0523: from=<alerts@cs.usbank-email.com>, size=5041, nrcpt=1 (queue active)
Dec 8 11:53:37 mail postfix/qmgr[5055]: D6C1049C0523: to=<jccthrift@juno.com>, relay=none, delay=97104, delays=97104/0/0/0, dsn=4.0.0, status=deferred (delivery temporarily suspended: host mx.dca.untd.com[64.136.44.37] refused to talk to me: 550 Access denied...27f595502da9a1a1b935fd35b4546d543540ddb5c 121f46d456deddd40214521c45d5d...)
Dec 8 11:53:37 mail postfix/qmgr[5055]: D792049C0520: from=<alerts@cs.usbank-email.com>, size=5056, nrcpt=1 (queue active)
Dec 8 11:53:37 mail postfix/qmgr[5055]: 878CD49C0413: from=<alerts@cs.usbank-email.com>, size=5069, nrcpt=1 (queue active)

DC1E749C0815: host mx.dca.untd.com[64.136.44.37] refused to talk to me: 550 Access denied...5089250c0c8d68689185f985583d9958ed357cdcc 91131ed28ed057cb9112811bca8a8...
Dec 8 11:53:38 mail postfix/qmgr[5055]: B725449C028A: from=<alerts@cs.usbank-email.com>, size=5046, nrcpt=1 (queue active)
Dec 8 11:53:38 mail postfix/qmgr[5055]: 1BF8349C0296: from=<alerts@cs.usbank-email.com>, size=5072, nrcpt=1 (queue active)
Dec 8 11:53:38 mail postfix/qmgr[5055]: 11DDE49C054A: from=<alerts@cs.usbank-email.com>, size=5050, nrcpt=1 (queue active)
Dec 8 11:53:38 mail postfix/qmgr[5055]: 068AA49C081E: from=<U_S_BankAlerts.6tqrd7p6h.fpyk@cs.usbank-email.com>, size=6176, nrcpt=1 (queue active)
Dec 8 11:53:38 mail postfix/qmgr[5055]: 0EA4149C081B: from=<U_S_BankAlerts.6tqrd7p6h.fpyk@cs.usbank-email.com>, size=6224, nrcpt=1 (queue active)
Dec 8 11:53:38 mail postfix/qmgr[5055]: 02FF849C029C: from=<U_S_BankAlerts.6tqrd7p6h.fpyk@cs.usbank-email.com>, size=6234, nrcpt=1 (queue active)

B211049C0012: to=<greenhornet65613@olympus.net>, relay=mx1.olympus.net[65.117.224.91]:25, delay=134840, delays=134834/0.21/5.2/0.32, dsn=4.0.0, status=deferred (host mx1.olympus.net[65.117.224.91] said: 451 Sender verify failed (in reply to RCPT TO command))
Dec 8 11:53:43 mail postfix/smtp[6575]: ACB1549C0015: to=<kennyziplock_@olympus.net>, relay=mx1.olympus.net[65.117.224.91]:25, delay=134746, delays=134740/0.13/5.2/0.55, dsn=4.0.0, status=deferred (host mx1.olympus.net[65.117.224.91] said: 451 Sender verify failed (in reply to RCPT TO command))
Dec 8 11:53:43 mail postfix/smtp[6579]: 618E849C0010: to=<foxy555@olympus.net>, relay=mx1.olympus.net[65.117.224.91]:25, delay=134867, delays=134862/0.14/5.2/0.49, dsn=4.0.0, status=deferred (host mx1.olympus.net[65.117.224.91] said: 451 Sender verify failed (in reply to RCPT TO command))
Dec 8 11:53:43 mail postfix/smtp[6605]: 27AC049C0013: to=<hodorovs@olympus.net>, relay=mx1.olympus.net[65.117.224.91]:25, delay=134811, delays=134805/0.21/5.2/0.27, dsn=4.0.0, status=deferred (host mx1.olympus.net[65.117.224.91] said: 451 Sender verify failed (in reply to RCPT TO command))

[bradb21]

Hacked? It's got to be a software or OS problem, and not your setup? How did you draw that conclusion?

Without knowing your network setup... are you behind a firewall? What ports do you have open to your server? Is your server shared with any other apps? Is your SSH secure? etc.....

More of your logs than just 15 lines

EDIT: OS type and version and Zimbra version? Sounds like something you might want to work with support on. They will probably want to either SSH to your machine and/or have you send them configuration files.

[extremal]

Saying hacked I mean that someone has access to mail server and somehow got ability to send emails using it.

Starting Nmap 4.11 ( Nmap - Free Security Scanner For Network Exploration & Security Audits. ) at 2008-12-09 01:44 EST
Interesting ports on localhost.localdomain (127.0.0.1):
Not shown: 1662 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
143/tcp open imap
199/tcp open smux
443/tcp open https
444/tcp open snpp
465/tcp open smtps
631/tcp open ipp
815/tcp open unknown what's this??
953/tcp open rndc
993/tcp open imaps
995/tcp open pop3s
3306/tcp open mysql
10000/tcp open snet-sensor-mgmt

how can I check SSH security status??

[zimbra@mail ~]$ zmcontrol -v


Release 5.0.5_GA_2201.RHEL5_20080417012110 CentOS5 FOSS edition

OS - CentOS release 5.2 (Final)


sorry, attached file is very big, i replaced there my server and my ip address with myserver.com and my.ip.add.ress.

[uxbod]

Check /var/log/secure and see which accounts have accessed your system. You can also check /opt/zimbra/log/audit.log to see what Zimbra accounts have been accessed.

If you do feel your server has been compromised you should look at getting a rootkit discovery tool aswell eg. Rootkit.nl - Protect your machine

[extremal]

thanks for reply, i checked audit and secure log files and i didn't find any problems ..
now I am going to check server with rootkit discovery tool

[extremal]

only some warnings were found

[03:47:05] Performing group and account checks
[03:47:05] Info: Starting test name 'group_accounts'
[03:47:05] Checking for passwd file [ Found ]
[03:47:05] Info: Found password file: /etc/passwd
[03:47:05] Checking for root equivalent (UID 0) accounts [ None found ]
[03:47:05] Info: Found shadow file: /etc/shadow
[03:47:05] Checking for passwordless accounts [ Warning ]
[03:47:05] Warning: Found passwordless account: zimbra
[03:47:05] Info: Starting test name 'passwd_changes'
[03:47:05] Checking for passwd file changes [ None found ]
[03:47:05] Info: Starting test name 'group_changes'
[03:47:05] Checking for group file changes [ None found ]
[03:47:05] Checking root account shell history files [ OK ]
[03:47:05]
[03:47:05] Performing system configuration file checks
[03:47:05] Info: Starting test name 'system_configs'
[03:47:05] Checking for SSH configuration file [ Found ]
[03:47:05] Info: Found SSH configuration file: /etc/ssh/sshd_config
[03:47:05] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'no'.
[03:47:05] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'.
[03:47:05] Checking if SSH root access is allowed [ Warning ]
[03:47:05] Warning: The SSH configuration option 'PermitRootLogin' has not been set.
The default value may be 'yes', to allow root access.
[03:47:05] Checking if SSH protocol v1 is allowed [ Not allowed ]
[03:47:05] Checking for running syslog daemon [ Found ]
[03:47:05] Checking for syslog configuration file [ Found ]
[03:47:05] Info: Found syslog configuration file: /etc/syslog.conf
[03:47:05] Checking if syslog remote logging is allowed [ Warning ]
[03:47:05] Warning: Syslog configuration file allows remote logging: mail.* @myserver.com
[03:47:05]
[03:47:05] Performing filesystem checks
[03:47:06] Info: Starting test name 'filesystem'
[03:47:06] Info: SCAN_MODE_DEV set to 'THOROUGH'
[03:47:06] Checking /dev for suspicious file types [ None found ]
[03:47:06] Checking for hidden files and directories [ Warning ]
[03:47:06] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
[03:47:29]
[03:47:29] Checking application versions...
[03:47:29] Info: Starting test name 'apps'
[03:47:30] Info: Application 'exim' not found.
[03:47:30] Checking version of GnuPG [ OK ]
[03:47:30] Info: Application 'gpg' version '1.4.5' found.
[03:47:30] Checking version of Apache [ OK ]
[03:47:30] Info: Application 'httpd' version '2.2.3' found.
[03:47:30] Checking version of Bind DNS [ OK ]
[03:47:30] Info: Application 'named' version '9.3.4' found.
[03:47:30] Checking version of OpenSSL [ OK ]
[03:47:30] Info: Application 'openssl' version '0.9.8b' found.
[03:47:30] Checking version of PHP [ OK ]
[03:47:30] Info: Application 'php' version '5.1.6' found.
[03:47:30] Checking version of Procmail MTA [ OK ]
[03:47:30] Info: Application 'procmail' version '3.22' found.
[03:47:30] Checking version of ProFTPd [ OK ]
[03:47:30] Info: Application 'proftpd' version '1.3.1' found.
[03:47:30] Checking version of OpenSSH [ OK ]
[03:47:30] Info: Application 'sshd' version '4.3p2' found.
[03:47:30] Info: Applications checked: 8 out of 9
[03:47:30]
[03:47:30] System checks summary
[03:47:30] =====================
[03:47:30]
[03:47:30] File properties checks...
[03:47:30] Required commands check failed
[03:47:30] Files checked: 131
[03:47:30] Suspect files: 6
[03:47:30]
[03:47:30] Rootkit checks...
[03:47:30] Rootkits checked : 114
[03:47:30] Possible rootkits: 0
[03:47:30]
[03:47:30] Applications checks...
[03:47:30] Applications checked: 8
[03:47:31] Suspect applications: 0
[03:47:31]
[03:47:31] The system checks took: 1 minute and 9 seconds
[03:47:31]
[03:47:31] Info: End date is Tue Dec 9 03:47:31 EST 2008

[phether]

Before you go totally crazy, have you checked the header info of the returned e-mail to make sure the original sending server is your servers IP address?

I have customers that constantly have thier domain names stolen by companies in Europe, using only thieir domain name with a unknown e-mail name for the sending & return address, but using thier own temporary mailing server. Then all the bounced back e-mail ends up on thier server and other servers Blacklist thier domain name instead of IP address.

[LMStone]

One other thing to check...

The server itself may not be hacked, but if you allow your users to use any simple password they like, one or more spammers may just be using a valid mailbox account on your server using a guessed or cracked password.

Zimbra usernames are email addresses; easy to find and half of the authentication requirements right there.

We insist upon using "complex" passwords and forced password rotations.

So, the "fix" might be as simple as just changing everyone's password, then generating an unblock request and see what happens.

Hope that helps,
Mark

"Sometimes a pipe is just a pipe..."