Home / server / Questions / 909350
Accepted
Milos Cuculovic
Asked: 2018-04-26 00:12:18 +0800 CST

Zimbra server compromised - how to investigate

  • 772

We have a zimbra email server and one of the email accounts was compromised. The problem we have now is that a lot of spams are sent from that server and we cannot identify which account is compromised.

In the mailq we can only see the from email, but this is a fake email address.

Is there a way to identify the real auth user who is sending those emails?

postfix

2 Answers

  1. Best Answer

    You can either grep logs for senders like

    grep sasl_username /var/log/maillog

    or use this script to show aggregate statistics 

    #!/usr/bin/python2
from __future__ import print_function

import re
re_sasl = re.compile(r'sasl_username=(.*)\s*')

senders = {}

for line in open('/var/log/maillog'):
    m = re_sasl.search(line.strip())
    if m:
        username = m.group(1)
        if username in senders:
            senders[username] += 1
        else:
            senders[username] = 1

print("Top senders:")
for username, count in sorted(senders.iteritems(), key=lambda x: x[1], reverse=True):
    print("\t{0:5d} {1}".format(count, username))
    • 2

  2. Please use this command to get compromise account details

    cat zimbra.log | sed -n 's/.*sasl_username=//p' | sort | uniq -c | sort -n 
    • 0