Server hacked, Desperate for help with FC6

[David Kramer]

Bill Horne wrote:
> Grant M. wrote:
>> [snip]
>> The Ubuntu Enterprise server we're using was compromised on a
>> non-priviledged account once, but there isn't anything installed that
>> the user could use, so no worries. 
> [snip]
> 
> While we're on the subject, how did you find out?

The first symptom was I was having problems with MySQL, which eventually 
led to my website not working.

In the end, the point of origin was almost definitely an exploit in 
Zimbra, which is a web-based collaboration tool I installed to check 
out, but never used.  I found all sorts of subtle hints, like a new 
zimbra user, which ended up in the /etc/sudoers file, and it was in the 
uucp group and the wheel group.

The attack appears to have happened about three days after I installed 
Zimbra, too.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.