Got hacked - Will migrate, have questions

[mindlight]

Hi everyone.
I am suspecting that our mail server running Zimbra got hacked.

Fortunately it is running in a virtual server so setting up a new one is not hard.

My first question is: If I migrate to a new server using "zmrestore" as instructed in Moving ZCS to New Server - Zimbra :: Wiki

Will this only restore pure data and NO scripts / executables?

Since we got hacked I ONLY want data to be moved to the new server, as you all probably understand :-)

Me second question is: If I install the latest Zimbra, will I be able to migrate my data as instructed in the above mentioned link?

The hacked server is running Debian 4. I havent had time to examine it further but will do that later on. I suspect it got hacked since my firewall logs shows that it accessed a IP on port 80 (which turned out to be a webmail server) and another IP on port 123... dunno what a Zimbra does on 123 on a PC that is placed on a home broadband IP-range but Im pretty sure that that behaviour is not hardcoded into the source :-)
Zimra version is Release 5.0.4_GA_2101.DEBIAN4.0 DEBIAN4.0 FOSS edition

All replies are happely accepted but I would really appreciate if I got answers from experienced admins too. Maybe ZImbra staff too? :-)

[uxbod]

Moving ZCS to Another Server » Zimbra :: Blog

Install the new server, migrate your data, and then upgrade.

[Rich Graves]

Outbound connections to port 80 could be user RSS or iCal feeds.

Port 123 is ntp, time synchronization, which you probably should have.

You should seriously consider outsourcing to a Zimbra hosting service (or to a competitor like gmail) so that you don't have to take care of it yourself.

[Vladimir]

Out of curiosity, how did you get hacked and what did you notice?

[mindlight]

Damn!
Pardon my french but... you are right... and I am paranoid :-)

Well, the machines I saw get accessed is not machines I do NTI P with.So its kinda strange anyways.
The thing about this server is that I installed it but then I left the company and they were never interested in taking over the maintenance... in the beginning I logged in to run som aptitude upgrade etc... but then I lost intrest... I didnt get any for it... and then they called telling me that their net was slow and mailserver sluggish... so then I checked the FW logs and... strange things it did.

Anyways. the virtual disk has been copied and I am going to spend a week with it :-)

Quote:

Originally Posted by Rich Graves

Outbound connections to port 80 could be user RSS or iCal feeds.

Port 123 is ntp, time synchronization, which you probably should have.

You should seriously consider outsourcing to a Zimbra hosting service (or to a competitor like gmail) so that you don't have to take care of it yourself.