Zimbra offers Open Source email server software and shared calendar for Linux and the Mac
Go Back   Zimbra :: Forums > Zimbra Collaboration Suite > Administrators
Reload this Page My server is infected?

Welcome to the Zimbra :: Forums!
Welcome, if you would like to post a comment please register. We also encourage you to explore all things Zimbra with our team and members of the community.

Reply
Page 1 of 2 1 2
 
LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 10-19-2009, 02:38 AM
Junior Member
  
Posts: 6
Default My server is infected?
Hi everyone.
I'm receiving a lot of virus alerts on the admin account of my ZCS 6 on Debian 5.
What is making me warry is the fact that some of this are "FROM LOCAL <>".
Does it mean that my system is compromised?
What should I do?
I upgraded from Debian 4 to 5 and from ZCS 5 to 6 hoping to solve this problem but still no luck!

Please Help

Thanks
DMD
Reply With Quote
  #2 (permalink)  
Old 10-19-2009, 02:41 AM
Moderator
  
Posts: 7,928
Default
Are you able to post the headers from one of the emails ?

Most probably is that you have set the av notify user to be your admin account (which is default I believe).
__________________
Reply With Quote
  #3 (permalink)  
Old 10-19-2009, 06:10 AM
Junior Member
  
Posts: 6
Default Headers
Hi uxbod
Thanks for your replay
I think that my system is compromised because it seems that the infected e-mail generates from the system itself:

This is the object of the e-mail:

VIRUS (Trojan.Peed-479) in mail FROM LOCAL [192.168.xxx.yyy] <>


This is the body of the e-mail:
A virus was found: Trojan.Peed-479

Scanner detecting a virus: ClamAV-clamd

Content type: Virus
Internal reference code for the message is 23264-06/JOLutkiE+dL3

First upstream SMTP client IP address: [192.168.xxx.yyy] mail.myserver.it According to a 'Received:' trace, the message apparently originated at:
[192.168.xxx.yyy], mail.myserver.it mail.myserver.it [192.168.xxx.yyy]

Return-Path: <>
From: MAILER-DAEMON
Message-ID: <32769237.15361255775825819.JavaMail.root@mail.mys erver.it>
Subject: zimbra-spam-report: someuser@myserver.it: spam The message has been quarantined as: virus-JOLutkiE+dL3

Notification to sender will not be mailed.

The message WAS NOT relayed to:
<spam.tsypwocu@myserver.it>:
250 2.7.0 Ok, discarded, id=23264-06 - INFECTED: Trojan.Peed-479

Virus scanner output:
p002: Trojan.Peed-479 FOUND


And these are the headers:

Return-Path: <>
Received: from mail.myserver.it (mail.myserver.it [192.168.xxx.yyy])
by mail.myserver.it (Postfix) with ESMTP id C8682DC6E89
for <spam.tsypwocu@myserver.it>; Sat, 17 Oct 2009 12:37:05 +0200 (CEST)
To: spam.tsypwocu@myserver.it
Message-ID: <32769237.15361255775825819.JavaMail.root@mail.mys erver.it>
Subject: zimbra-spam-report: someuser@myserver.it: spam
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_Part_1066_28229837.1255775825818"
X-Zimbra-Spam-Report-Sender: someuser@myserver.it
X-Zimbra-Spam-Report-Type: spam
X-Originating-IP: [85.18.190.82]
Date: Sat, 17 Oct 2009 12:37:05 +0200 (CEST)
From: MAILER-DAEMON
Reply With Quote
  #4 (permalink)  
Old 10-19-2009, 06:14 AM
Moderator
  
Posts: 7,928
Default
The reason why it appears to have come from your server is that somebody, external, emailed one of your users. Postfix accepted it and handed off to Amavis. Amavis checked whether it was a spam or virus. It saw it as spam so attempted to send to your SPAM training user. It was then rejected due to it containing a virus.
__________________
Reply With Quote
  #5 (permalink)  
Old 10-19-2009, 08:46 AM
Junior Member
  
Posts: 6
Default
Thank you uxbod.
I was really warried abaut it: it's 4 months now that somebody is sending a lot of spam and viruses to our users and I wasn't sure it is all right with my server since a'm managing a machine that was set-up by another administrator.

Thanks again
DMD
Reply With Quote
  #6 (permalink)  
Old 10-19-2009, 08:50 AM
Moderator
  
Posts: 7,928
Default
You should look to see how you can tighten up the anti-spam ... search the forums for sanesecurity, spamassassin, barracuda and rbls.
__________________
Reply With Quote
  #7 (permalink)  
Old 10-22-2009, 12:46 AM
Junior Member
  
Posts: 6
Default
Thank you again uxbod.
It seems that now spammers have a harder life :-). Unfortunatelly they are still beating me in this blody fight :-).
Reply With Quote
  #8 (permalink)  
Old 10-22-2009, 12:52 AM
Zimbra Consultant & Moderator
  
Posts: 20,312
Default
Quote:
Originally Posted by DMDIT View Post
Thank you again uxbod.
It seems that now spammers have a harder life :-). Unfortunatelly they are still beating me in this blody fight :-).
What are the tag/kill percentages set to on your server (look in the Admin UI/MTA tab)?

Have you implemented any RBLs in use on the server? If you don't have the xen RBL then add this one zen.spamhaus.org as the first in your RBL list. Implement the smtpd_reject_unlisted_recipients and you'll also stop a lot of unwanted messages.
__________________
Regards


Bill
Reply With Quote
  #9 (permalink)  
Old 10-22-2009, 01:19 AM
Junior Member
  
Posts: 6
Default
Kill percentage: 75
Tag percentage: 33

Now that you told me I added that address into my RBL.

I'm not very familiar with RBLs and I'm trying to be careful
Reply With Quote
  #10 (permalink)  
Old 10-22-2009, 01:23 AM
Junior Member
  
Posts: 6
Default
Opps!!
When I save my configuration it complains:

Error in JavaScript method:
ZaXFormViewController.prototype._saveChangesCallba ck

name: TypeError message: 'cnt' is not defined number: -2146823279
description: 'cnt' is not defined
Reply With Quote
Reply
Page 1 of 2 1 2

« Previous Thread | Today's Posts or Week's Posts | Next Thread »

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode


Similar Threads

Product Information

Why Join?

Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.

blog.zimbra.com


Home - Blog - Contact Us - Archive - Top


 

SEO by vBSEO ©2011, Crawlability, Inc.