hello all!
Since two days, zimbra is suddently extremely slow, after years of good work.
if i make a "top", i see one or more zimbra process with java, eating 200-300% of the cpu.
the server is now soo slow than start a "zmcontrol status" not finish, expire with "timeout after 180s".
admin gui say "services failed", but probably because of the slow response, since I can still send and receive e-mails
not sure if it's a bug or if our server has been compromised.
if i stop zimbra (zmcontrol stop), process zimbra is still running and eat cpu.
on restart a zimbra (java) same process start first, before all "legacy" zimbra component apparently.
apparently 2-3 zimbra process, with random (high) PID changing frequently.
i've change nothing recently, except, one week before this problem appear, i've migrate the zimbra VM from proxmox 7 (with lvm storage) to new proxmox 8 cluster with zfs storage.
config :
find no clear error in logs, except some created probably by the cpu charge (for exemple a lot of "connect to /opt/zimbra/data/clamav/clamav.sock failed" during startup, but stop later)
using "https://lorenzo.mile.si/zimbra-cve-2019 ... ction/961/" i try to find if we are compromized, but find nothing clear, except maybe this :
maybe compromized server long time ago but backdoor never used before now?
so, i'm clearly out of my confort zone, can someone help me?![:D]( "Very Happy")
there is a lot's of logs file into zimbra, I don't know what to look for.
Thanks, and sorry for my english!![:D]( "Very Happy")
PS : i am planning to migrate to zimbra 10 the next week, but i'm not sure of the best way to do that if my server is compromize.
is the doc "https://wiki.zimbra.com/wiki/Steps_To_R ... ZCS_Server" still valid for zimbra 9?
and if we are effectively compromized, how i can clean the server (even for a short time), so that users are not overly affected while waiting for the update to zimbra 10?
Since two days, zimbra is suddently extremely slow, after years of good work.
if i make a "top", i see one or more zimbra process with java, eating 200-300% of the cpu.
the server is now soo slow than start a "zmcontrol status" not finish, expire with "timeout after 180s".
admin gui say "services failed", but probably because of the slow response, since I can still send and receive e-mails
not sure if it's a bug or if our server has been compromised.
if i stop zimbra (zmcontrol stop), process zimbra is still running and eat cpu.
on restart a zimbra (java) same process start first, before all "legacy" zimbra component apparently.
apparently 2-3 zimbra process, with random (high) PID changing frequently.
i've change nothing recently, except, one week before this problem appear, i've migrate the zimbra VM from proxmox 7 (with lvm storage) to new proxmox 8 cluster with zfs storage.
config :
serveur with 30 users, 4cpu core, 8Go, underlying host Xeon e-2334 with 32Go ramzmcontrol -v
Release 9.0.0.GA.3924.UBUNTU18.64 UBUNTUUNKNOWN_64 NETWORK edition, Patch 9.0.0_P39
find no clear error in logs, except some created probably by the cpu charge (for exemple a lot of "connect to /opt/zimbra/data/clamav/clamav.sock failed" during startup, but stop later)
using "https://lorenzo.mile.si/zimbra-cve-2019 ... ction/961/" i try to find if we are compromized, but find nothing clear, except maybe this :
but the date is 16/04, and the problem began on 14/04?find /opt/zimbra/jetty/ -name "*.class" -mtime -15 -ls
10355263 4 -rw-r----- 1 zimbra zimbra 1335 avril 16 02:57 /opt/zimbra/jetty/work/zimbraAdmin/jsp/org/apache/jsp/public_/admin_jsp$1.class
maybe compromized server long time ago but backdoor never used before now?
so, i'm clearly out of my confort zone, can someone help me?
there is a lot's of logs file into zimbra, I don't know what to look for.
Thanks, and sorry for my english!
PS : i am planning to migrate to zimbra 10 the next week, but i'm not sure of the best way to do that if my server is compromize.
is the doc "https://wiki.zimbra.com/wiki/Steps_To_R ... ZCS_Server" still valid for zimbra 9?
and if we are effectively compromized, how i can clean the server (even for a short time), so that users are not overly affected while waiting for the update to zimbra 10?
Statistics: Posted by winproof — Tue Apr 16, 2024 10:54 am