Zimbra got hacked?

[cocas]

Hello all,
The most strange thing happens. We have a new installation that we publish to internet and we forgot to change the password of the user "admin" . Our default password was "password". The server were in production for a couple of months without any problem.
Yesterday I notice that I stop receiving the "Daily Mail Report" to my admin mailbox that I have configured in Thunderbird. Also, I got a warning from a Telco that I was sending spam from the admin@ account.
I enter the UI as user admin and when I click New to compone an email, a text appears on the body of the email! a spam mail. And, when I send that mail, the display name isnt my anymore, is "SECRET POWERS" and it has a Reply to: to a gmail address.
The strange thin is that when I go to the Administration Page, the display name and every parameter are normal in the admin account.
So..I very confuse I dont know were the system is reading those names and automatic body mesage.

Please help!

Regards

[bdial]

could it be a persona for the admin account? maybe the body is a signature?

[cocas]

No, I am the only admin. By the way, where do I config the signature?

Also, I found this in the logs:

/opt/zimbra/log/mailbox.log.2010-11-16:2010-11-16

14:27:44,473 INFO [btpool0-791://200.x.x.x/service/soap/SendMsgRequest] [name=admin@zimbra.x.x.x;mid=1;ip=71.113.139.253;ua =ZimbraWebClient - FF3.0 (Win)/6.0.8_GA_2661;] sqltrace - Slow execut
ion (2427ms): INSERT INTO mboxgroup1.mail_item(mailbox_id, id, type, parent_id, folder_id, index_id, imap_id, date, size, vol
ume_id, blob_digest, unread, flags, tags, sender, subject, name, metadata, mod_metadata, change_date, mod_content) VALUES (1, 11124, 5, NULL, 5, '11124', 11124, 1289928461, 9862, '1', '97tWG2hwW5fjzZxUJiqjP2SIgGY=', 0, 1, 0, 'SECRET POWERS', '', NULL, 'd1:f150:Has anything ever bothered you in life? Do you have any problem you need to solve? A pending court case you want to resolve in your favor? Health, ...1:s39:SECRET POWERS <admin@zimbra.x.x.x>1:t0:1:vi10ee', 16700, 1289928462, 16700)

[cocas]

I found the From: and the Reply to: parameters that were change in the admin account preferences. I re-set it to my name and now everything is OK.
So, I wonder how this happens, I was a "robot" attack or a human behind this changes? I simple password change would do it?

[LMStone]

For sure change the password to something complex on the admin mailbox.

You could also create a new global admin mailbox account with a more cryptic name, set the status of the existing admin account to "Locked", and in the admin mailbox configure hidden forwarding to the new global admin mailbox.

Hope that helps,
Mark