Serious problem exploits "brute force attack"
Serious problem exploits "brute force attack"
Hello everyone, I have been the victim of an attack on my server, my server does not publish the 7071 port, the attack seems to originate from the same server, i changed the password but there are continuous attempts to login.
The server has been upgraded to the latest releases and patches.
I report under the log, please help me!!
/opt/zimbra/log/audit.log
2016-05-30 09:38:50,895 WARN [qtp509886383-1580:https://10.0.2.1:7071/service/admin/soap/] [name=f.onorato@eurotelag.com;ip=10.0.2.1;] security - cmd=Auth; account=f.onorato@eurotelag.com; protocol=soap; error=authentication failed for [f.onorato@eurotelag.com], invalid password;
/opt/zimbra/log/mailbox.log
2016-05-30 09:38:50,147 INFO [qtp509886383-1562:https://10.0.2.1:7071/service/admin/soap/] [name=f.onorato@eurotelag.com;ip=10.0.2.1;] SoapEngine - handler exception: authentication failed for [f.onorato@eurotelag.com], invalid password
2016-05-30 09:38:50,147 INFO [qtp509886383-1562:https://10.0.2.1:7071/service/admin/soap/] [name=f.onorato@eurotelag.com;ip=10.0.2.1;] soap - AuthRequest elapsed=0
/var/log/zimbra.log
May 30 09:56:18 mail saslauthd[7685]: zmpost: url='https://mail.eurotelag.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope ... r><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for [f.onorato@eurotelag.com]</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>qtp509886383-1765:https://10.0.2.1:7071/service/admin/soa ... p:Envelope>', hti->error=''
May 30 09:56:18 mail saslauthd[7685]: auth_zimbra: f.onorato@eurotelag.com auth failed: authentication failed for [f.onorato@eurotelag.com]
May 30 09:56:18 mail saslauthd[7685]: do_auth : auth failure: [user=f.onorato@eurotelag.com] [service=smtp] [realm=eurotelag.com] [mech=zimbra] [reason=Unknown]
/var/log/auth.log
May 30 09:56:18 mail saslauthd[7685]: zmpost: url='https://mail.eurotelag.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope ... r><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for [f.onorato@eurotelag.com]</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>qtp509886383-1765:https://10.0.2.1:7071/service/admin/soa ... p:Envelope>', hti->error=''
May 30 09:56:18 mail saslauthd[7685]: auth_zimbra: f.onorato@eurotelag.com auth failed: authentication failed for [f.onorato@eurotelag.com]
May 30 09:56:18 mail saslauthd[7685]: do_auth : auth failure: [user=f.onorato@eurotelag.com] [service=smtp] [realm=eurotelag.com] [mech=zimbra] [reason=Unknown]
The server has been upgraded to the latest releases and patches.
I report under the log, please help me!!
/opt/zimbra/log/audit.log
2016-05-30 09:38:50,895 WARN [qtp509886383-1580:https://10.0.2.1:7071/service/admin/soap/] [name=f.onorato@eurotelag.com;ip=10.0.2.1;] security - cmd=Auth; account=f.onorato@eurotelag.com; protocol=soap; error=authentication failed for [f.onorato@eurotelag.com], invalid password;
/opt/zimbra/log/mailbox.log
2016-05-30 09:38:50,147 INFO [qtp509886383-1562:https://10.0.2.1:7071/service/admin/soap/] [name=f.onorato@eurotelag.com;ip=10.0.2.1;] SoapEngine - handler exception: authentication failed for [f.onorato@eurotelag.com], invalid password
2016-05-30 09:38:50,147 INFO [qtp509886383-1562:https://10.0.2.1:7071/service/admin/soap/] [name=f.onorato@eurotelag.com;ip=10.0.2.1;] soap - AuthRequest elapsed=0
/var/log/zimbra.log
May 30 09:56:18 mail saslauthd[7685]: zmpost: url='https://mail.eurotelag.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope ... r><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for [f.onorato@eurotelag.com]</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>qtp509886383-1765:https://10.0.2.1:7071/service/admin/soa ... p:Envelope>', hti->error=''
May 30 09:56:18 mail saslauthd[7685]: auth_zimbra: f.onorato@eurotelag.com auth failed: authentication failed for [f.onorato@eurotelag.com]
May 30 09:56:18 mail saslauthd[7685]: do_auth : auth failure: [user=f.onorato@eurotelag.com] [service=smtp] [realm=eurotelag.com] [mech=zimbra] [reason=Unknown]
/var/log/auth.log
May 30 09:56:18 mail saslauthd[7685]: zmpost: url='https://mail.eurotelag.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope ... r><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for [f.onorato@eurotelag.com]</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>qtp509886383-1765:https://10.0.2.1:7071/service/admin/soa ... p:Envelope>', hti->error=''
May 30 09:56:18 mail saslauthd[7685]: auth_zimbra: f.onorato@eurotelag.com auth failed: authentication failed for [f.onorato@eurotelag.com]
May 30 09:56:18 mail saslauthd[7685]: do_auth : auth failure: [user=f.onorato@eurotelag.com] [service=smtp] [realm=eurotelag.com] [mech=zimbra] [reason=Unknown]
Re: Serious problem exploits "brute force attack"
Hello,
I noticed that if I put the original password the server starts sending spam can someone give me help.
Thanks!!
I noticed that if I put the original password the server starts sending spam can someone give me help.
Thanks!!
Re: Serious problem exploits "brute force attack"
I think your account was hacked (worm or password discovered via web interface).
Simply change the password and do not put the oldest.
The logs show the authentication attempt.
Ciao Francesco.
Simply change the password and do not put the oldest.
The logs show the authentication attempt.
Ciao Francesco.
Re: Serious problem exploits "brute force attack"
Hello babyporch,
the problem stems from the fact that 7071 has never been exposed to intrnet, from un'output netstat I see that the connections are generated by the same ip of the server
This makes me think of a script or other which stands running on the server
Ciao Claudio
the problem stems from the fact that 7071 has never been exposed to intrnet, from un'output netstat I see that the connections are generated by the same ip of the server
This makes me think of a script or other which stands running on the server
Ciao Claudio
Re: Serious problem exploits "brute force attack"
Hi Cisco72,
Did you ever find the cause of the problem? I'm having exactly the same situation. The attempts to connect seem to come from the server itself. I'm trying to find a bogus process that is launching the attemps without success.
Any comment will be appreciated.
Did you ever find the cause of the problem? I'm having exactly the same situation. The attempts to connect seem to come from the server itself. I'm trying to find a bogus process that is launching the attemps without success.
Any comment will be appreciated.
Re: Serious problem exploits "brute force attack"
If the connection is from the own ip address that only means that it is a Login via Web Interface
Gesendet von meinem SM-N910F mit Tapatalk
Gesendet von meinem SM-N910F mit Tapatalk
Re: Serious problem exploits "brute force attack"
Hello everyone, I find myself with the same problem and I could not solve it. Someone found the solution ..? Thank you very much
-
- Elite member
- Posts: 1105
- Joined: Sat Sep 13, 2014 12:47 am
Re: Serious problem exploits "brute force attack"
Someone is trying to send authenticated email from outside your server - using the submission port (465)
If you open /var/log/zimbra.log and search for one of the saslauthd lines you quoted you will find that the preceeding 3 lines should give you the information about the source of the connection.
For example
Aug 25 07:29:47 mail postfix/submission/smtpd[16296]: connect from mail-it0-f51.google.com[209.85.214.51]
Aug 25 07:29:48 mail postfix/submission/smtpd[16296]: Anonymous TLS connection established from mail-it0-f51.google.com[209.85.214.51]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Aug 25 07:29:48 mail saslauthd[4831]: zmauth: authenticating against elected url 'https://yourServer:7071/service/admin/soap/' ...
Aug 25 07:29:49 mail saslauthd[4831]: zmpost: url='https://yourServer:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope ... r><context xmlns="urn:zimbra"><change token="223912"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken> removed </authToken><lifetime>86400000</lifetime><skin>harmony</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''
Here you can see the incoming connection was from google.com - and in my case this was a legitimate connection.
You should be able yo use the IP Address quoted to block the connection using the firewall.
If you open /var/log/zimbra.log and search for one of the saslauthd lines you quoted you will find that the preceeding 3 lines should give you the information about the source of the connection.
For example
Aug 25 07:29:47 mail postfix/submission/smtpd[16296]: connect from mail-it0-f51.google.com[209.85.214.51]
Aug 25 07:29:48 mail postfix/submission/smtpd[16296]: Anonymous TLS connection established from mail-it0-f51.google.com[209.85.214.51]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Aug 25 07:29:48 mail saslauthd[4831]: zmauth: authenticating against elected url 'https://yourServer:7071/service/admin/soap/' ...
Aug 25 07:29:49 mail saslauthd[4831]: zmpost: url='https://yourServer:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope ... r><context xmlns="urn:zimbra"><change token="223912"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken> removed </authToken><lifetime>86400000</lifetime><skin>harmony</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''
Here you can see the incoming connection was from google.com - and in my case this was a legitimate connection.
You should be able yo use the IP Address quoted to block the connection using the firewall.
- MartinsBonders
- Posts: 22
- Joined: Wed May 18, 2016 8:12 am
Re: Serious problem exploits "brute force attack"
Yes, the same problem started 2 days ago! 7071 have access list from only 2 IP, but log is full of IP's accessing this port. Is this Zimbra exploit?!
-
- Outstanding Member
- Posts: 284
- Joined: Sat Sep 13, 2014 1:55 am
- ZCS/ZD Version: 8.8.15_FOSS Patch38
Re: Serious problem exploits "brute force attack"
Same problem here...successful login attempts to admin web page (port 7071) from within the server.
In zimbra.log I see:
But user1 is not an administrator...
[zimbra@mail ~]$ zmcontrol -v
Release 8.6.0_GA_1153.RHEL6_64_20141215151155 RHEL6_64 FOSS edition, Patch 8.6.0_P7.
In zimbra.log I see:
Code: Select all
Apr 19 19:06:33 mail saslauthd[8160]: auth_zimbra: user1 auth OK
Apr 19 19:07:03 mail saslauthd[8161]: zmauth: authenticating against elected url 'https://mail.domain.com:7071/service/admin/soap/' ...
Apr 19 19:07:03 mail saslauthd[8161]: zmpost: url='https://mail.domain.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><change token="20959"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_d1dd00e7eb79810aadaa9b5c4b3d97df8979b9e9_69643d33363a62343038346134362d333733362d346234342d626630642d34376562326531698755773b6578703d31333a31343932895423687393b76763d313a313b747970653d363a7a696d6272613b7469643d31303a9515669752444303b76657273696f6e3d31333a382e362e305f47415f313135333b</authToken><lifetime>172799998</lifetime><skin>serenity</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''
[zimbra@mail ~]$ zmcontrol -v
Release 8.6.0_GA_1153.RHEL6_64_20141215151155 RHEL6_64 FOSS edition, Patch 8.6.0_P7.