Results 1 to 10 of 10

Thread: Zimbra server hacked

  1. #1
    LeoB is offline Junior Member
    Join Date
    Jan 2014
    Posts
    5
    Rep Power
    1

    Default Zimbra server hacked

    Hi,
    I have a Zimbra 8.06 installation on a Centos 6 server.
    Yesterday someone has started 3 process on tmp folder with zimbra and has added 2 jobs on crontab.
    Could you help to understand how can I secure the server and how they do that?

    Thank you very much!

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,491
    Rep Power
    56

    Default

    Quote Originally Posted by LeoB View Post
    I have a Zimbra 8.06 installation on a Centos 6 server.
    Yesterday someone has started 3 process on tmp folder with zimbra and has added 2 jobs on crontab.
    Could you help to understand how can I secure the server and how they do that?
    Not really as you've given no details on what they've actually done nor have you provided any details of your configuration (hardware or software) or the current security on your server. You could start by giving details on whether this server is behind a NAT router or directly on the internet or if this is a rootkit that's installed or what you've done to check and remove the offending processes.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    LeoB is offline Junior Member
    Join Date
    Jan 2014
    Posts
    5
    Rep Power
    1

    Default

    Thank you Bill for your quick reply..
    It's a virtual machine hosted by an italian provider and it's directly connected on internet with a public ip. It's protected by iptables through a shorewall configuration.. There is installed only zimbra over a Centos 6.3 OS installed with minimal option.
    I found a new entry in the cron of the user zimbra that every 6 hours download and launch a process into /tmp/ folder. I didn't understood what the process do, but scanning it with virustotal, it say it's a bitcoinminer process. I also found in the same folder a cfg file with this entry stratum+tcp://ltc-eu.give-me-coins.com:3333 and a username and a password..
    Until now I just removed the cron entry and I killed the processes and deleted from the tmp folder but I don't know how they add the cron entry.. Is there a log of the web interface to understand if they exploited in some way the web?

    thank you again!

  4. #4
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,491
    Rep Power
    56

    Default

    Are you certain that you have ZCS 8.0.6 installed? Post the output of the following command:

    Code:
    zmcontrol -v
    This vulnerability was fixed in ZCS 8.0.6, are you sure this hak happened recently? Is this the only version of ZCS you've installed and was it a new install or an upgrade?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #5
    LeoB is offline Junior Member
    Join Date
    Jan 2014
    Posts
    5
    Rep Power
    1

    Default

    Yes, I'm sure it's a 8.06. This is the output of the command you said:

    Code:
    Release 8.0.6_GA_5922.RHEL6_64_20131203103705 RHEL6_64 FOSS edition
    I also checked the creation date of the files and they are from 24 Jan 23.30 to 25 Jan at 7.56 am..

    Is there a log file where I can see what happened on that time?

  6. #6
    LeoB is offline Junior Member
    Join Date
    Jan 2014
    Posts
    5
    Rep Power
    1

    Default

    Sorry, I forgot to say it's an upgrade from a 7 version (I don't remember exactly the version) but for sure one of the bugged version

  7. #7
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,491
    Rep Power
    56

    Default

    Take a look at this thread: Zimbra hack
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  8. #8
    LeoB is offline Junior Member
    Join Date
    Jan 2014
    Posts
    5
    Rep Power
    1

    Default

    Thank you, I found the same zimlets installed and I removed them..
    I also checked the access_log and I found a couple of ip that has called the gimlets to download and launch the process into /tmp folder. Probably they have installed the gimlet before the upgrade..
    Do you suggest something more to check?

    Thank you again!!

  9. #9
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,491
    Rep Power
    56

    Default

    If you've removed the zimlets and any stray files they've left then there shouldn't be any problems. Keep and eye on your server and if there's any further incidents then post again.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  10. #10
    BobyMike is offline New Member
    Join Date
    Jan 2014
    Posts
    3
    Rep Power
    1

    Default

    HI all ! i really hope that somebody can help!

    I run zimbra 8.0.6 on a suse sles 11. After i cleaned up the zimlets and the hacks from /tmp all went well until today in the morning when the server started not to deliver e-mails. It sends the e-mails from clients (for example : if sending for yahoo, the mail get's to yahoo account, but id the guy from yahoo answers, than the e-mail remains in queue). i have started to serched the web all day long, but didn't find somthing to work.

    i'll put here the logs witch seems to be the cause:

    /opt/zimbra/log/mailbox.log
    2014-02-03 08:59:41,386 INFO [qtp310912546-33234:http://127.0.0.1:81/service/soap/BatchRequest] [name=ion.busuioc@my-domain.com;mid=174;oip=86.127.149.17;ua=ZCS/8.0.6_GA_5922;] soap - BatchRequest
    2014-02-03 08:59:41,403 WARN [qtp310912546-33234:http://127.0.0.1:81/service/soap/BatchRequest] [name=ion.busuioc@my-domain.com;mid=174;oip=86.127.149.17;ua=ZCS/8.0.6_GA_5922;] zimlet - Zimlet not
    found: /opt/zimbra/zimlets-deployed/com_zimbra_example_simplejspaction
    2014-02-03 08:59:41,406 WARN [qtp310912546-33234:http://127.0.0.1:81/service/soap/BatchRequest] [name=ion.busuioc@my-domain.com;mid=174;oip=86.127.149.17;ua=ZCS/8.0.6_GA_5922;] zimlet - Zimlet not
    found: /opt/zimbra/zimlets-deployed/com_zimbra_example_simplejspaction2
    2014-02-03 09:19:36,513 INFO [qtp310912546-33370:http://xx.yy.zz.ww:81/service/soap/G...rRulesRequest] [name=ion.busuioc@my-domain.com;mid=174;ip=86.127.149.17;ua=ZimbraWebCl ient - GC32 (Win)
    /8.0.6_GA_5922;] soap - GetFilterRulesRequest elapsed=25
    2014-02-03 09:19:36,573 WARN [qtp310912546-33371:http://xx.yy.zz.ww:81/service/zimlet...ndar_icon.png] [] zimlet - Zimlet not found: /opt/zimbra/zimlets-deployed/com_zim
    bra_example_simplejspaction
    2014-02-03 09:19:36,577 WARN [qtp310912546-33371:http://xx.yy.zz.ww:81/service/zimlet...ndar_icon.png] [] zimlet - Zimlet not found: /opt/zimbra/zimlets-deployed/com_zim
    bra_example_simplejspaction2


    2014-02-03 09:12:30,934 INFO [ImapSSLServer-741] [name=iuliana.radu@my-domain.com;mid=56;ip=192.168.13.71;] imap - UID FETCH elapsed=38
    2014-02-03 09:12:31,009 WARN [ImapSSLServer-743] [name=iuliana.radu@my-domain.com;mid=56;ip=192.168.13.71;] imap - ignoring error during UID FETCH:
    com.zimbra.cs.mailbox.MailServiceException: No such blob: mailbox=56, item=16027, change=43727
    ExceptionId:ImapSSLServer-743:1391411551009:b43558857dabbacc
    Code:mail.NO_SUCH_BLOB ArgitemId, IID, "16027") Argver, NUM, "43727")
    at com.zimbra.cs.mailbox.MailServiceException.NO_SUCH _BLOB(MailServiceException.java:303)
    at com.zimbra.cs.mailbox.MailItem.getBlob(MailItem.ja va:1255)
    at com.zimbra.cs.mailbox.MessageCache.fetchFromStore( MessageCache.java:230)
    at com.zimbra.cs.mailbox.MessageCache.getMimeMessage( MessageCache.java:166)
    at com.zimbra.cs.mailbox.Message.getMimeMessage(Messa ge.java:457)
    at com.zimbra.cs.imap.ImapMessage.getMimeMessage(Imap Message.java:243)
    at com.zimbra.cs.imap.ImapHandler.fetch(ImapHandler.j ava:3746)
    at com.zimbra.cs.imap.ImapHandler.fetch(ImapHandler.j ava:3559)
    at com.zimbra.cs.imap.ImapHandler.doFETCH(ImapHandler .java:3554)
    at com.zimbra.cs.imap.ImapHandler.executeRequest(Imap Handler.java:506)
    at com.zimbra.cs.imap.NioImapHandler.processRequest(N ioImapHandler.java:124)
    at com.zimbra.cs.imap.NioImapHandler.messageReceived( NioImapHandler.java:61)
    at com.zimbra.cs.server.NioHandlerDispatcher.messageR eceived(NioHandlerDispatcher.java:88)
    at org.apache.mina.core.filterchain.DefaultIoFilterCh ain$TailFilter.messageReceived(DefaultIoFilterChai n.java:716)
    at org.apache.mina.core.filterchain.DefaultIoFilterCh ain.callNextMessageReceived(DefaultIoFilterChain.j ava:434)
    at org.apache.mina.core.filterchain.DefaultIoFilterCh ain.access$1200(DefaultIoFilterChain.java:46)
    at org.apache.mina.core.filterchain.DefaultIoFilterCh ain$EntryImpl$1.messageReceived(DefaultIoFilterCha in.java:796)
    at com.zimbra.cs.server.NioLoggingFilter.messageRecei ved(NioLoggingFilter.java:60)
    at org.apache.mina.core.filterchain.DefaultIoFilterCh ain.callNextMessageReceived(DefaultIoFilterChain.j ava:434)
    at org.apache.mina.core.filterchain.DefaultIoFilterCh ain.access$1200(DefaultIoFilterChain.java:46)
    at org.apache.mina.core.filterchain.DefaultIoFilterCh ain$EntryImpl$1.messageReceived(DefaultIoFilterCha in.java:796)
    at org.apache.mina.core.filterchain.IoFilterEvent.fir e(IoFilterEvent.java:75)
    at org.apache.mina.core.session.IoEvent.run(IoEvent.j ava:63)
    at org.apache.mina.filter.executor.OrderedThreadPoolE xecutor$Worker.runTask(OrderedThreadPoolExecutor.j ava:780)
    at org.apache.mina.filter.executor.OrderedThreadPoolE xecutor$Worker.runTasks(OrderedThreadPoolExecutor. java:772)
    at org.apache.mina.filter.executor.OrderedThreadPoolE xecutor$Worker.run(OrderedThreadPoolExecutor.java: 714)
    at java.lang.Thread.run(Thread.java:744)

    2014-02-03 09:40:23,130 ERROR [ImapSSLServer-745] [name=grafica@my-domain.com;mid=117;ip=192.168.13.92;] imap - java.lang.IllegalArgumentException: URLDecoder: Incomplete trailing escape (%) pattern
    java.lang.IllegalArgumentException: URLDecoder: Incomplete trailing escape (%) pattern
    at java.net.URLDecoder.decode(URLDecoder.java:187)
    at com.mysql.jdbc.NonRegisteringDriver.parseURL(NonRe gisteringDriver.java:633)
    at com.mysql.jdbc.NonRegisteringDriver.connect(NonReg isteringDriver.java:296)
    at java.sql.DriverManager.getConnection(DriverManager .java:571)
    at java.sql.DriverManager.getConnection(DriverManager .java:233)
    at com.zimbra.cs.db.DbPool.getMaintenanceConnection(D bPool.java:425)
    at com.zimbra.cs.db.MySQL.flushToDisk(MySQL.java:220)
    at com.zimbra.cs.redolog.RedoLogManager.rollover(Redo LogManager.java:599)
    at com.zimbra.cs.redolog.RedoLogManager.log(RedoLogMa nager.java:382)
    at com.zimbra.cs.redolog.op.RedoableOp.log(RedoableOp .java:121)
    at com.zimbra.cs.mailbox.Mailbox.endTransaction(Mailb ox.java:8585)
    at com.zimbra.cs.mailbox.Mailbox.addMessageInternal(M ailbox.java:5643)
    at com.zimbra.cs.mailbox.Mailbox.addMessage(Mailbox.j ava:5323)
    at com.zimbra.cs.mailbox.Mailbox.addMessage(Mailbox.j ava:5257)
    at com.zimbra.cs.mailbox.Mailbox.addMessage(Mailbox.j ava:5252)
    at com.zimbra.cs.imap.AppendMessage.store(AppendMessa ge.java:207)
    at com.zimbra.cs.imap.AppendMessage.storeContent(Appe ndMessage.java:184)
    at com.zimbra.cs.imap.ImapHandler.doAPPEND(ImapHandle r.java:2476)
    at com.zimbra.cs.imap.ImapHandler.executeRequest(Imap Handler.java:394)
    at com.zimbra.cs.imap.NioImapHandler.processRequest(N ioImapHandler.java:124)
    at com.zimbra.cs.imap.NioImapHandler.messageReceived( NioImapHandler.java:61)
    at com.zimbra.cs.server.NioHandlerDispatcher.messageR eceived(NioHandlerDispatcher.java:88)
    at org.apache.mina.core.filterchain.DefaultIoFilterCh ain$TailFilter.messageReceived(DefaultIoFilterChai n.java:716)
    at org.apache.mina.core.filterchain.DefaultIoFilterCh ain.callNextMessageReceived(DefaultIoFilterChain.j ava:434)
    at org.apache.mina.core.filterchain.DefaultIoFilterCh ain.access$1200(DefaultIoFilterChain.java:46)
    at org.apache.mina.core.filterchain.DefaultIoFilterCh ain$EntryImpl$1.messageReceived(DefaultIoFilterCha in.java:796)
    at com.zimbra.cs.server.NioLoggingFilter.messageRecei ved(NioLoggingFilter.java:60)
    at org.apache.mina.core.filterchain.DefaultIoFilterCh ain.callNextMessageReceived(DefaultIoFilterChain.j ava:434)
    at org.apache.mina.core.filterchain.DefaultIoFilterCh ain.access$1200(DefaultIoFilterChain.java:46)
    at org.apache.mina.core.filterchain.DefaultIoFilterCh ain$EntryImpl$1.messageReceived(DefaultIoFilterCha in.java:796)
    at org.apache.mina.core.filterchain.IoFilterEvent.fir e(IoFilterEvent.java:75)
    at org.apache.mina.core.session.IoEvent.run(IoEvent.j ava:63)
    at org.apache.mina.filter.executor.OrderedThreadPoolE xecutor$Worker.runTask(OrderedThreadPoolExecutor.j ava:780)
    at org.apache.mina.filter.executor.OrderedThreadPoolE xecutor$Worker.runTasks(OrderedThreadPoolExecutor. java:772)
    at org.apache.mina.filter.executor.OrderedThreadPoolE xecutor$Worker.run(OrderedThreadPoolExecutor.java: 714)
    at java.lang.Thread.run(Thread.java:744)


    2014-02-03 09:40:26,319 INFO [LmtpServer-105] [name=madalina.stoian@my-domain.com;mid=87;ip=xx.yy.zz.ww;] cache - initializing folder and tag caches for mailbox 87
    2014-02-03 09:40:26,324 WARN [LmtpServer-105] [name=madalina.stoian@my-domain.com;mid=87;ip=xx.yy.zz.ww;] filter - An error occurred while processing filter rules. Filing message to /Inbox.
    java.lang.IllegalArgumentException: URLDecoder: Incomplete trailing escape (%) pattern
    at java.net.URLDecoder.decode(URLDecoder.java:187)
    at com.mysql.jdbc.NonRegisteringDriver.parseURL(NonRe gisteringDriver.java:633)
    at com.mysql.jdbc.NonRegisteringDriver.connect(NonReg isteringDriver.java:296)
    at java.sql.DriverManager.getConnection(DriverManager .java:571)
    at java.sql.DriverManager.getConnection(DriverManager .java:233)
    at com.zimbra.cs.db.DbPool.getMaintenanceConnection(D bPool.java:425)
    at com.zimbra.cs.db.MySQL.flushToDisk(MySQL.java:220)
    at com.zimbra.cs.redolog.RedoLogManager.rollover(Redo LogManager.java:599)
    at com.zimbra.cs.redolog.RedoLogManager.log(RedoLogMa nager.java:382)
    at com.zimbra.cs.redolog.op.RedoableOp.log(RedoableOp .java:121)
    at com.zimbra.cs.redolog.op.RedoableOp.log(RedoableOp .java:117)
    at com.zimbra.cs.mailbox.Mailbox.addMessageInternal(M ailbox.java:5602)
    at com.zimbra.cs.mailbox.Mailbox.addMessage(Mailbox.j ava:5323)
    at com.zimbra.cs.mailbox.Mailbox.addMessage(Mailbox.j ava:5257)
    at com.zimbra.cs.mailbox.Mailbox.addMessage(Mailbox.j ava:5252)
    at com.zimbra.cs.filter.IncomingMessageHandler.addMes sage(IncomingMessageHandler.java:131)
    at com.zimbra.cs.filter.IncomingMessageHandler.implic itKeep(IncomingMessageHandler.java:123)
    at com.zimbra.cs.filter.ZimbraMailAdapter.doDefaultFi ling(ZimbraMailAdapter.java:344)
    at com.zimbra.cs.filter.ZimbraMailAdapter.executeActi ons(ZimbraMailAdapter.java:219)
    at org.apache.jsieve.SieveFactory.evaluate(SieveFacto ry.java:173)
    at com.zimbra.cs.filter.RuleManager.applyRulesToIncom ingMessage(RuleManager.java:360)
    at com.zimbra.cs.filter.RuleManager.applyRulesToIncom ingMessage(RuleManager.java:322)
    at com.zimbra.cs.lmtpserver.ZimbraLmtpBackend.deliver MessageToLocalMailboxes(ZimbraLmtpBackend.java:612 )
    at com.zimbra.cs.lmtpserver.ZimbraLmtpBackend.deliver (ZimbraLmtpBackend.java:382)
    at com.zimbra.cs.lmtpserver.LmtpHandler.processMessag eData(LmtpHandler.java:376)
    at com.zimbra.cs.lmtpserver.TcpLmtpHandler.continueDA TA(TcpLmtpHandler.java:73)
    at com.zimbra.cs.lmtpserver.LmtpHandler.doDATA(LmtpHa ndler.java:365)
    at com.zimbra.cs.lmtpserver.LmtpHandler.processComman d(LmtpHandler.java:181)
    at com.zimbra.cs.lmtpserver.TcpLmtpHandler.processCom mand(TcpLmtpHandler.java:66)
    at com.zimbra.cs.server.ProtocolHandler.processConnec tion(ProtocolHandler.java:188)
    at com.zimbra.cs.server.ProtocolHandler.run(ProtocolH andler.java:127)
    at java.util.concurrent.ThreadPoolExecutor.runWorker( ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:615)
    at java.lang.Thread.run(Thread.java:744)
    2014-02-03 09:40:26,327 INFO [LmtpServer-105] [name=madalina.stoian@my-domain.com;mid=87;ip=xx.yy.zz.ww;] mailop - Adding Message: id=120630, Message-ID=<394401cf20b3$2fec16b0$8fc44410$@ro>, pare
    ntId=-1, folderId=2, folderName=Inbox.


    2014-02-03 09:40:32,428 ERROR [Pop3SSLServer-153] [name=sorin.tache@my-domain.com;ip=92.84.114.146;] pop - java.lang.IllegalArgumentException: URLDecoder: Incomplete trailing escape (%) pattern
    java.lang.IllegalArgumentException: URLDecoder: Incomplete trailing escape (%) pattern
    at java.net.URLDecoder.decode(URLDecoder.java:187)
    at com.mysql.jdbc.NonRegisteringDriver.parseURL(NonRe gisteringDriver.java:633)
    at com.mysql.jdbc.NonRegisteringDriver.connect(NonReg isteringDriver.java:296)
    at java.sql.DriverManager.getConnection(DriverManager .java:571)
    at java.sql.DriverManager.getConnection(DriverManager .java:233)
    at com.zimbra.cs.db.DbPool.getMaintenanceConnection(D bPool.java:425)
    at com.zimbra.cs.db.MySQL.flushToDisk(MySQL.java:220)
    at com.zimbra.cs.redolog.RedoLogManager.rollover(Redo LogManager.java:599)
    at com.zimbra.cs.redolog.RedoLogManager.log(RedoLogMa nager.java:382)
    at com.zimbra.cs.redolog.op.RedoableOp.log(RedoableOp .java:121)
    at com.zimbra.cs.mailbox.Mailbox.endTransaction(Mailb ox.java:8585)
    at com.zimbra.cs.mailbox.Mailbox.delete(Mailbox.java: 6654)
    at com.zimbra.cs.mailbox.Mailbox.delete(Mailbox.java: 6672)
    at com.zimbra.cs.mailbox.Mailbox.delete(Mailbox.java: 6583)
    at com.zimbra.cs.pop3.Pop3Mailbox.expungeDeletes(Pop3 Mailbox.java:221)
    at com.zimbra.cs.pop3.Pop3Handler.doQUIT(Pop3Handler. java:420)
    at com.zimbra.cs.pop3.Pop3Handler.processCommandInter nal(Pop3Handler.java:287)
    at com.zimbra.cs.pop3.Pop3Handler.processCommand(Pop3 Handler.java:140)
    at com.zimbra.cs.pop3.NioPop3Handler.messageReceived( NioPop3Handler.java:57)
    at com.zimbra.cs.server.NioHandlerDispatcher.messageR eceived(NioHandlerDispatcher.java:88)
    at org.apache.mina.core.filterchain.DefaultIoFilterCh ain$TailFilter.messageReceived(DefaultIoFilterChai n.java:716)
    at org.apache.mina.core.filterchain.DefaultIoFilterCh ain.callNextMessageReceived(DefaultIoFilterChain.j ava:434)
    at org.apache.mina.core.filterchain.DefaultIoFilterCh ain.access$1200(DefaultIoFilterChain.java:46)
    at org.apache.mina.core.filterchain.DefaultIoFilterCh ain$EntryImpl$1.messageReceived(DefaultIoFilterCha in.java:796)
    at com.zimbra.cs.server.NioLoggingFilter.messageRecei ved(NioLoggingFilter.java:60)
    at org.apache.mina.core.filterchain.DefaultIoFilterCh ain.callNextMessageReceived(DefaultIoFilterChain.j ava:434)
    at org.apache.mina.core.filterchain.DefaultIoFilterCh ain.access$1200(DefaultIoFilterChain.java:46)
    at org.apache.mina.core.filterchain.DefaultIoFilterCh ain$EntryImpl$1.messageReceived(DefaultIoFilterCha in.java:796)
    at org.apache.mina.core.filterchain.IoFilterEvent.fir e(IoFilterEvent.java:75)
    at org.apache.mina.core.session.IoEvent.run(IoEvent.j ava:63)
    at org.apache.mina.filter.executor.OrderedThreadPoolE xecutor$Worker.runTask(OrderedThreadPoolExecutor.j ava:780)
    at org.apache.mina.filter.executor.OrderedThreadPoolE xecutor$Worker.runTasks(OrderedThreadPoolExecutor. java:772)
    at org.apache.mina.filter.executor.OrderedThreadPoolE xecutor$Worker.run(OrderedThreadPoolExecutor.java: 714)
    at java.lang.Thread.run(Thread.java:744)


    /var/log/zimbra.log

    Feb 3 09:40:46 mail zmconfigd[27520]: Fetching All configs
    Feb 3 09:40:46 mail zmconfigd[27520]: All configs fetched in 0.03 seconds
    Feb 3 09:40:46 mail sudo: zimbra : TTY=unknown ; PWD=/opt/zimbra ; USER=root ; COMMAND=/opt/zimbra/libexec/zmmailboxdmgr status
    Feb 3 09:40:46 mail sudo: zimbra : TTY=unknown ; PWD=/opt/zimbra ; USER=root ; COMMAND=/opt/zimbra/libexec/zmmailboxdmgr status
    Feb 3 09:40:46 mail sudo: zimbra : TTY=unknown ; PWD=/opt/zimbra ; USER=root ; COMMAND=/opt/zimbra/libexec/zmmtastatus
    Feb 3 09:40:47 mail slapd[1738]: slap_queue_csn: queing 0x7f1ee25a5050 20140203074047.639764Z#000000#000#000000
    Feb 3 09:40:47 mail slapd[1738]: slap_graduate_commit_csn: removing 0x9a410f0 20140203074047.639764Z#000000#000#000000
    Feb 3 09:40:47 mail zmconfigd[27520]: Watchdog: service antivirus status is OK.
    Feb 3 09:40:47 mail zmconfigd[27520]: All rewrite threads completed in 0.00 sec
    Feb 3 09:40:47 mail zmconfigd[27520]: All restarts completed in 0.00 sec
    Feb 3 09:40:47 mail postfix/lmtp[28024]: 2857218BC02F: to=<lucian.ene@my-domain.com>, relay=mail.my-domain.com[xx.yy.zz.ww]:7025, delay=16, delays=0.14/0/0/16, dsn=4.0.0, status=deferred (host mail.
    my-domain.com[xx.yy.zz.ww] said: 451 4.0.0 Temporary message delivery failure try again (in reply to end of DATA command))
    Feb 3 09:40:52 mail slapd[1738]: slap_queue_csn: queing 0x7f1ee2da6050 20140203074052.621065Z#000000#000#000000
    Feb 3 09:40:52 mail slapd[1738]: slap_graduate_commit_csn: removing 0x4a57cb0 20140203074052.621065Z#000000#000#000000
    Feb 3 09:40:57 mail slapd[1738]: slap_queue_csn: queing 0x7f1ee35a7050 20140203074057.069739Z#000000#000#000000
    Feb 3 09:40:57 mail slapd[1738]: slap_graduate_commit_csn: removing 0x4a58400 20140203074057.069739Z#000000#000#000000
    Feb 3 09:41:00 mail postfix/smtpd[27753]: connect from unknown[192.168.13.74]
    Feb 3 09:41:00 mail postfix/smtpd[27753]: Anonymous TLS connection established from unknown[192.168.13.74]: TLSv1 with cipher RC4-MD5 (128/128 bits)
    Feb 3 09:41:00 mail saslauthd[3593]: zmauth: authenticating against elected url 'https://mail.my-domain.com:7071/service/admin/soap/' ...
    Feb 3 09:41:00 mail saslauthd[3593]: zmpost: url='https://mail.my-domain.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><so
    ap:Header><context xmlns="urn:zimbra"><change token="136804"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_c56e41e4752 66dd08d1468e47e40aeca59d7a14a_6964
    3d33363a31323863353561382d616265352d343438332d3838 64372d3938373332646465656263323b6578703d31333a3133 39313538363036303335363b76763d313a343b747970653d36 3a7a696d6272613b</authToken><lifetime>1728000
    00</lifetime><skin>beach</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''


    Any idea what this means ?? Is this a bug??

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Zimbra hacked =(
    By krolen in forum Administrators
    Replies: 4
    Last Post: 08-31-2013, 02:34 PM
  2. Getting very hacked off with Zimbra
    By Guest in forum Administrators
    Replies: 15
    Last Post: 10-04-2011, 06:33 PM
  3. Zimbra got hacked?
    By cocas in forum Administrators
    Replies: 4
    Last Post: 11-23-2010, 02:08 PM
  4. Zimbra server got hacked, security?
    By violentpurr in forum Administrators
    Replies: 5
    Last Post: 03-28-2008, 12:04 AM
  5. Replies: 12
    Last Post: 11-05-2007, 02:48 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •