Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: My server is infected?

  1. #1
    DMDIT is offline Junior Member
    Join Date
    Jun 2009
    Posts
    6
    Rep Power
    6

    Default My server is infected?

    Hi everyone.
    I'm receiving a lot of virus alerts on the admin account of my ZCS 6 on Debian 5.
    What is making me warry is the fact that some of this are "FROM LOCAL <>".
    Does it mean that my system is compromised?
    What should I do?
    I upgraded from Debian 4 to 5 and from ZCS 5 to 6 hoping to solve this problem but still no luck!

    Please Help

    Thanks
    DMD

  2. #2
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Are you able to post the headers from one of the emails ?

    Most probably is that you have set the av notify user to be your admin account (which is default I believe).

  3. #3
    DMDIT is offline Junior Member
    Join Date
    Jun 2009
    Posts
    6
    Rep Power
    6

    Default Headers

    Hi uxbod
    Thanks for your replay
    I think that my system is compromised because it seems that the infected e-mail generates from the system itself:

    This is the object of the e-mail:

    VIRUS (Trojan.Peed-479) in mail FROM LOCAL [192.168.xxx.yyy] <>


    This is the body of the e-mail:
    A virus was found: Trojan.Peed-479

    Scanner detecting a virus: ClamAV-clamd

    Content type: Virus
    Internal reference code for the message is 23264-06/JOLutkiE+dL3

    First upstream SMTP client IP address: [192.168.xxx.yyy] mail.myserver.it According to a 'Received:' trace, the message apparently originated at:
    [192.168.xxx.yyy], mail.myserver.it mail.myserver.it [192.168.xxx.yyy]

    Return-Path: <>
    From: MAILER-DAEMON
    Message-ID: <32769237.15361255775825819.JavaMail.root@mail.mys erver.it>
    Subject: zimbra-spam-report: someuser@myserver.it: spam The message has been quarantined as: virus-JOLutkiE+dL3

    Notification to sender will not be mailed.

    The message WAS NOT relayed to:
    <spam.tsypwocu@myserver.it>:
    250 2.7.0 Ok, discarded, id=23264-06 - INFECTED: Trojan.Peed-479

    Virus scanner output:
    p002: Trojan.Peed-479 FOUND


    And these are the headers:

    Return-Path: <>
    Received: from mail.myserver.it (mail.myserver.it [192.168.xxx.yyy])
    by mail.myserver.it (Postfix) with ESMTP id C8682DC6E89
    for <spam.tsypwocu@myserver.it>; Sat, 17 Oct 2009 12:37:05 +0200 (CEST)
    To: spam.tsypwocu@myserver.it
    Message-ID: <32769237.15361255775825819.JavaMail.root@mail.mys erver.it>
    Subject: zimbra-spam-report: someuser@myserver.it: spam
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    boundary="----=_Part_1066_28229837.1255775825818"
    X-Zimbra-Spam-Report-Sender: someuser@myserver.it
    X-Zimbra-Spam-Report-Type: spam
    X-Originating-IP: [85.18.190.82]
    Date: Sat, 17 Oct 2009 12:37:05 +0200 (CEST)
    From: MAILER-DAEMON

  4. #4
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    The reason why it appears to have come from your server is that somebody, external, emailed one of your users. Postfix accepted it and handed off to Amavis. Amavis checked whether it was a spam or virus. It saw it as spam so attempted to send to your SPAM training user. It was then rejected due to it containing a virus.

  5. #5
    DMDIT is offline Junior Member
    Join Date
    Jun 2009
    Posts
    6
    Rep Power
    6

    Default

    Thank you uxbod.
    I was really warried abaut it: it's 4 months now that somebody is sending a lot of spam and viruses to our users and I wasn't sure it is all right with my server since a'm managing a machine that was set-up by another administrator.

    Thanks again
    DMD

  6. #6
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    You should look to see how you can tighten up the anti-spam ... search the forums for sanesecurity, spamassassin, barracuda and rbls.

  7. #7
    DMDIT is offline Junior Member
    Join Date
    Jun 2009
    Posts
    6
    Rep Power
    6

    Default

    Thank you again uxbod.
    It seems that now spammers have a harder life :-). Unfortunatelly they are still beating me in this blody fight :-).

  8. #8
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,470
    Rep Power
    56

    Default

    Quote Originally Posted by DMDIT View Post
    Thank you again uxbod.
    It seems that now spammers have a harder life :-). Unfortunatelly they are still beating me in this blody fight :-).
    What are the tag/kill percentages set to on your server (look in the Admin UI/MTA tab)?

    Have you implemented any RBLs in use on the server? If you don't have the xen RBL then add this one zen.spamhaus.org as the first in your RBL list. Implement the smtpd_reject_unlisted_recipients and you'll also stop a lot of unwanted messages.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  9. #9
    DMDIT is offline Junior Member
    Join Date
    Jun 2009
    Posts
    6
    Rep Power
    6

    Default

    Kill percentage: 75
    Tag percentage: 33

    Now that you told me I added that address into my RBL.

    I'm not very familiar with RBLs and I'm trying to be careful

  10. #10
    DMDIT is offline Junior Member
    Join Date
    Jun 2009
    Posts
    6
    Rep Power
    6

    Default

    Opps!!
    When I save my configuration it complains:

    Error in JavaScript method:
    ZaXFormViewController.prototype._saveChangesCallba ck

    name: TypeError message: 'cnt' is not defined number: -2146823279
    description: 'cnt' is not defined

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. How to: cold standby server (no cluster)
    By fisch09 in forum Installation
    Replies: 50
    Last Post: 02-18-2014, 10:51 AM
  2. Keeping a backup server synced with live server
    By Q-Mike in forum Administrators
    Replies: 5
    Last Post: 04-11-2008, 01:40 PM
  3. [SOLVED] Server migration/move for OS steps I used
    By newmember in forum Migration
    Replies: 0
    Last Post: 09-06-2007, 10:57 PM
  4. Replies: 1
    Last Post: 09-16-2006, 11:02 PM
  5. Replies: 18
    Last Post: 03-20-2006, 02:22 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •