Results 1 to 6 of 6

Thread: Need help getting rid of a hacker

  1. #1
    Roran01 is offline Junior Member
    Join Date
    Jun 2014
    Posts
    5
    Rep Power
    1

    Default Need help getting rid of a hacker

    On a server that I help to run, a hacker has gotten in and has set up an account to use as a
    spambot, causing us to get blacklisted. We do not have his ip, and would like any help available.

  2. #2
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,491
    Rep Power
    56

    Default

    Quote Originally Posted by Roran01 View Post
    On a server that I help to run, a hacker has gotten in and has set up an account to use as a
    spambot, causing us to get blacklisted. We do not have his ip, and would like any help available.
    You're going to have to give more details than this, you can start with the Zimbra version (you should always give these details) by posting the output of the following command:

    Code:
    zmcontrol -v
    Have you done any research in the forums? There are several threads on 'hacked' server and the recent bitcoin mining app, search the forums and take a look at those threads first. Is this a zimbra account that's been hacked? Take a look through the forums for "compromised account" and see if that's what you've got.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    Roran01 is offline Junior Member
    Join Date
    Jun 2014
    Posts
    5
    Rep Power
    1

    Default

    Sorry about that. I am running the 8.0.7.GA.6021.UBUNTU12.64 version.

    We have no idea how he got in, in the first place, but he is using the zimbra account.
    Maybe he is using a backdoor or something like that, but we recently updated,
    and he is still at it.

  4. #4
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,491
    Rep Power
    56

    Default

    Quote Originally Posted by Roran01 View Post
    Sorry about that. I am running the 8.0.7.GA.6021.UBUNTU12.64 version.

    We have no idea how he got in, in the first place, but he is using the zimbra account.
    What do you mean by "the zimbra account"? Do you mean an admin account? Do you know the account that's being used? If you do then you should be able to disable that account. Do you enforce strong passwords on your server? Have you checked to see if there's a bot on the server itself?

    Quote Originally Posted by Roran01 View Post
    Maybe he is using a backdoor or something like that, but we recently updated, and he is still at it.
    There currently no know vulnerabilities in Zimbra, from which version of ZCS did you upgrade? Was your sever compromised before you did the upgrade or has this just started? Did you look in the forums at some of the things I suggested in my previous post?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #5
    Roran01 is offline Junior Member
    Join Date
    Jun 2014
    Posts
    5
    Rep Power
    1

    Default

    The Unix user Zimbra is compromised, the admin account. Yes, we do enforce strong passwords, and password changes were enforced
    (to those with weak passwords) after the update

    We upgraded from ~7.2 and from 10.02 Ubuntu. Unfortunately, it was compromised before the update. Yes, I did look into that, but have not seen
    much of use as of yet.

  6. #6
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,491
    Rep Power
    56

    Default

    Quote Originally Posted by Roran01 View Post
    The Unix user Zimbra is compromised, the admin account. Yes, we do enforce strong passwords, and password changes were enforced
    (to those with weak passwords) after the update

    We upgraded from ~7.2 and from 10.02 Ubuntu. Unfortunately, it was compromised before the update. Yes, I did look into that, but have not seen
    much of use as of yet.
    The details of the bitcoin exploit is well documented in the forums and a wiki article on Investigating and Securing Systems has full details of how to check your server, take a look at that and see if that's what's causing your problem. In future, it's also important that you tell us exactly what version was in use and give us the full version such as 7.2.1 or 7.2.3 etc.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Hacker accessing user account and sending spam
    By ypmict in forum Administrators
    Replies: 7
    Last Post: 05-13-2014, 11:37 PM
  2. More a hacker/security question than a Zimbra issue
    By rusty in forum Administrators
    Replies: 13
    Last Post: 09-22-2010, 04:30 AM
  3. Are these login attempts a potential hacker?
    By Jakobud in forum Administrators
    Replies: 2
    Last Post: 03-23-2010, 01:25 PM
  4. Replies: 7
    Last Post: 04-12-2008, 02:08 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •