Zimbra Forums

Hello everyone, I have been the victim of an attack on my server, my server does not publish the 7071 port, the attack seems to originate from the same server, i changed the password but there are continuous attempts to login.
The server has been upgraded to the latest releases and patches.
I report under the log, please help me!!

/opt/zimbra/log/audit.log
2016-05-30 09:38:50,895 WARN [qtp509886383-1580:https://10.0.2.1:7071/service/admin/soap/] [name=f.onorato@eurotelag.com;ip=10.0.2.1;] security - cmd=Auth; account=f.onorato@eurotelag.com; protocol=soap; error=authentication failed for [f.onorato@eurotelag.com], invalid password;

/opt/zimbra/log/mailbox.log
2016-05-30 09:38:50,147 INFO [qtp509886383-1562:https://10.0.2.1:7071/service/admin/soap/] [name=f.onorato@eurotelag.com;ip=10.0.2.1;] SoapEngine - handler exception: authentication failed for [f.onorato@eurotelag.com], invalid password
2016-05-30 09:38:50,147 INFO [qtp509886383-1562:https://10.0.2.1:7071/service/admin/soap/] [name=f.onorato@eurotelag.com;ip=10.0.2.1;] soap - AuthRequest elapsed=0

/var/log/zimbra.log
May 30 09:56:18 mail saslauthd[7685]: zmpost: url='https://mail.eurotelag.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope ... r><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for [f.onorato@eurotelag.com]</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>qtp509886383-1765:https://10.0.2.1:7071/service/admin/soa ... p:Envelope>', hti->error=''
May 30 09:56:18 mail saslauthd[7685]: auth_zimbra: f.onorato@eurotelag.com auth failed: authentication failed for [f.onorato@eurotelag.com]
May 30 09:56:18 mail saslauthd[7685]: do_auth : auth failure: [user=f.onorato@eurotelag.com] [service=smtp] [realm=eurotelag.com] [mech=zimbra] [reason=Unknown]

/var/log/auth.log
May 30 09:56:18 mail saslauthd[7685]: zmpost: url='https://mail.eurotelag.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope ... r><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for [f.onorato@eurotelag.com]</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>qtp509886383-1765:https://10.0.2.1:7071/service/admin/soa ... p:Envelope>', hti->error=''
May 30 09:56:18 mail saslauthd[7685]: auth_zimbra: f.onorato@eurotelag.com auth failed: authentication failed for [f.onorato@eurotelag.com]
May 30 09:56:18 mail saslauthd[7685]: do_auth : auth failure: [user=f.onorato@eurotelag.com] [service=smtp] [realm=eurotelag.com] [mech=zimbra] [reason=Unknown]

Hello,
I noticed that if I put the original password the server starts sending spam can someone give me help.

Thanks!!

I think your account was hacked (worm or password discovered via web interface).

Simply change the password and do not put the oldest.

The logs show the authentication attempt.

Ciao Francesco.

Hello babyporch,

the problem stems from the fact that 7071 has never been exposed to intrnet, from un'output netstat I see that the connections are generated by the same ip of the server
This makes me think of a script or other which stands running on the server

Ciao Claudio

Hi Cisco72,

Did you ever find the cause of the problem? I'm having exactly the same situation. The attempts to connect seem to come from the server itself. I'm trying to find a bogus process that is launching the attemps without success.

Any comment will be appreciated.

If the connection is from the own ip address that only means that it is a Login via Web Interface


Gesendet von meinem SM-N910F mit Tapatalk

Hello everyone, I find myself with the same problem and I could not solve it. Someone found the solution ..? Thank you very much

Someone is trying to send authenticated email from outside your server - using the submission port (465)

If you open /var/log/zimbra.log and search for one of the saslauthd lines you quoted you will find that the preceeding 3 lines should give you the information about the source of the connection.

For example

Aug 25 07:29:47 mail postfix/submission/smtpd[16296]: connect from mail-it0-f51.google.com[209.85.214.51]
Aug 25 07:29:48 mail postfix/submission/smtpd[16296]: Anonymous TLS connection established from mail-it0-f51.google.com[209.85.214.51]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Aug 25 07:29:48 mail saslauthd[4831]: zmauth: authenticating against elected url 'https://yourServer:7071/service/admin/soap/' ...
Aug 25 07:29:49 mail saslauthd[4831]: zmpost: url='https://yourServer:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope ... r><context xmlns="urn:zimbra"><change token="223912"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken> removed </authToken><lifetime>86400000</lifetime><skin>harmony</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''

Here you can see the incoming connection was from google.com - and in my case this was a legitimate connection.

You should be able yo use the IP Address quoted to block the connection using the firewall.

Yes, the same problem started 2 days ago! 7071 have access list from only 2 IP, but log is full of IP's accessing this port. Is this Zimbra exploit?!

Same problem here...successful login attempts to admin web page (port 7071) from within the server.
In zimbra.log I see:
But user1 is not an administrator...

[zimbra@mail ~]$ zmcontrol -v
Release 8.6.0_GA_1153.RHEL6_64_20141215151155 RHEL6_64 FOSS edition, Patch 8.6.0_P7.