security problem

[juancanic]

Hi there,

Mi zimbra server is being used for spam, but I dont know how, I if test from some one mx relay test, the result is relay denied. viewing the logs I found this information:

2010-09-03 12:10:05,189 INFO [btpool0-53://localhost:7071/service/admin/soap/AuthRequest] [ip=127.0.0.1;] soap - AuthRequest
2010-09-03 12:10:05,333 INFO [btpool0-53://localhost:7071/service/admin/soap/GetAllServersRequest] [name=zimbra;ip=127.0.0.1;] soap
- GetAllServersRequest

I understood from it, that somebody is using the zimbra user and it is masquerading with ip localhost.

What can I do for to block it, This problem is leaving me crazy!!!

From my firewall I only have opened the following port: www, dns, smtp, imap4.

Please help me.

[jrefl5]

port 7071 is for the Admin interface.

[juancanic]

Quote:

Originally Posted by jrefl5

port 7071 is for the Admin interface.

yes!, I know that, it is the case, somebody is reaching the web admin interface with the zimbra user. I put a password to this user and the problem still persist.

I have disabled the admin user and only have one user with this privileges, my user. so when I access to the admin web page I have this log:

2010-09-03 12:43:09,861 INFO [btpool0-44://192.168.1.X:7071/service/admin/soap/GetLoggerStatsRequest] [name=myuser@domain;m
id=4;ip=192.168.1.XX;ua=ZimbraWebClient - FF3.0 (Win);] soap - GetLoggerStatsRequest

I have checked all the computer in my lan (about 15 pcs) with kaspersky antivirus and Malwarebytes' Anti-Malware and I did not found any computer infected.

[phoenix]

Quote:

Originally Posted by juancanic

yes!, I know that, it is the case, somebody is reaching the web admin interface with the zimbra user. I put a password to this user and the problem still persist.

You've not actually given any evidence that your server is being used to send spam, why do you think that's happening? What evidence do you have to show mail going through your server? Other than the Admin user login, what other log entries do you have to show that spam is going through your server.

[juancanic]

Quote:

Originally Posted by phoenix

You've not actually given any evidence that your server is being used to send spam, why do you think that's happening? What evidence do you have to show mail going through your server? Other than the Admin user login, what other log entries do you have to show that spam is going through your server.

I only have about 20 pcs in my Lan, nobody leave the computer turned on in the night and in the middle of the night appear to be sent about 12K email. attached the graph.spam.jpg

[phoenix]

Look in the log files and see what's happening on your server.