Serious problem exploits "brute force attack"
Posted: Mon May 30, 2016 8:01 am
Hello everyone, I have been the victim of an attack on my server, my server does not publish the 7071 port, the attack seems to originate from the same server, i changed the password but there are continuous attempts to login.
The server has been upgraded to the latest releases and patches.
I report under the log, please help me!!
/opt/zimbra/log/audit.log
2016-05-30 09:38:50,895 WARN [qtp509886383-1580:https://10.0.2.1:7071/service/admin/soap/] [name=f.onorato@eurotelag.com;ip=10.0.2.1;] security - cmd=Auth; account=f.onorato@eurotelag.com; protocol=soap; error=authentication failed for [f.onorato@eurotelag.com], invalid password;
/opt/zimbra/log/mailbox.log
2016-05-30 09:38:50,147 INFO [qtp509886383-1562:https://10.0.2.1:7071/service/admin/soap/] [name=f.onorato@eurotelag.com;ip=10.0.2.1;] SoapEngine - handler exception: authentication failed for [f.onorato@eurotelag.com], invalid password
2016-05-30 09:38:50,147 INFO [qtp509886383-1562:https://10.0.2.1:7071/service/admin/soap/] [name=f.onorato@eurotelag.com;ip=10.0.2.1;] soap - AuthRequest elapsed=0
/var/log/zimbra.log
May 30 09:56:18 mail saslauthd[7685]: zmpost: url='https://mail.eurotelag.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope ... r><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for [f.onorato@eurotelag.com]</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>qtp509886383-1765:https://10.0.2.1:7071/service/admin/soa ... p:Envelope>', hti->error=''
May 30 09:56:18 mail saslauthd[7685]: auth_zimbra: f.onorato@eurotelag.com auth failed: authentication failed for [f.onorato@eurotelag.com]
May 30 09:56:18 mail saslauthd[7685]: do_auth : auth failure: [user=f.onorato@eurotelag.com] [service=smtp] [realm=eurotelag.com] [mech=zimbra] [reason=Unknown]
/var/log/auth.log
May 30 09:56:18 mail saslauthd[7685]: zmpost: url='https://mail.eurotelag.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope ... r><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for [f.onorato@eurotelag.com]</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>qtp509886383-1765:https://10.0.2.1:7071/service/admin/soa ... p:Envelope>', hti->error=''
May 30 09:56:18 mail saslauthd[7685]: auth_zimbra: f.onorato@eurotelag.com auth failed: authentication failed for [f.onorato@eurotelag.com]
May 30 09:56:18 mail saslauthd[7685]: do_auth : auth failure: [user=f.onorato@eurotelag.com] [service=smtp] [realm=eurotelag.com] [mech=zimbra] [reason=Unknown]
The server has been upgraded to the latest releases and patches.
I report under the log, please help me!!
/opt/zimbra/log/audit.log
2016-05-30 09:38:50,895 WARN [qtp509886383-1580:https://10.0.2.1:7071/service/admin/soap/] [name=f.onorato@eurotelag.com;ip=10.0.2.1;] security - cmd=Auth; account=f.onorato@eurotelag.com; protocol=soap; error=authentication failed for [f.onorato@eurotelag.com], invalid password;
/opt/zimbra/log/mailbox.log
2016-05-30 09:38:50,147 INFO [qtp509886383-1562:https://10.0.2.1:7071/service/admin/soap/] [name=f.onorato@eurotelag.com;ip=10.0.2.1;] SoapEngine - handler exception: authentication failed for [f.onorato@eurotelag.com], invalid password
2016-05-30 09:38:50,147 INFO [qtp509886383-1562:https://10.0.2.1:7071/service/admin/soap/] [name=f.onorato@eurotelag.com;ip=10.0.2.1;] soap - AuthRequest elapsed=0
/var/log/zimbra.log
May 30 09:56:18 mail saslauthd[7685]: zmpost: url='https://mail.eurotelag.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope ... r><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for [f.onorato@eurotelag.com]</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>qtp509886383-1765:https://10.0.2.1:7071/service/admin/soa ... p:Envelope>', hti->error=''
May 30 09:56:18 mail saslauthd[7685]: auth_zimbra: f.onorato@eurotelag.com auth failed: authentication failed for [f.onorato@eurotelag.com]
May 30 09:56:18 mail saslauthd[7685]: do_auth : auth failure: [user=f.onorato@eurotelag.com] [service=smtp] [realm=eurotelag.com] [mech=zimbra] [reason=Unknown]
/var/log/auth.log
May 30 09:56:18 mail saslauthd[7685]: zmpost: url='https://mail.eurotelag.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope ... r><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for [f.onorato@eurotelag.com]</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>qtp509886383-1765:https://10.0.2.1:7071/service/admin/soa ... p:Envelope>', hti->error=''
May 30 09:56:18 mail saslauthd[7685]: auth_zimbra: f.onorato@eurotelag.com auth failed: authentication failed for [f.onorato@eurotelag.com]
May 30 09:56:18 mail saslauthd[7685]: do_auth : auth failure: [user=f.onorato@eurotelag.com] [service=smtp] [realm=eurotelag.com] [mech=zimbra] [reason=Unknown]