Account hacked in 8.6 P8 impossible to block. Possible bug!

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
Newtman
Posts: 8
Joined: Mon Mar 13, 2017 4:45 pm
Location: Montevideo, Uruguay
ZCS/ZD Version: ZCS 8.8.15 and ZCS 9.0.0

Account hacked in 8.6 P8 impossible to block. Possible bug!

Post by Newtman »

Hello,
I´m sysadmin of a big Zimbra Collaboration 8.6.0 P8 running on CentOS 6.7, everyday a bunch of accouts are hacked using phishing by spammers...
Las week an account was hacked, I locked it and changed password... But the account is still working!
The status is locked, I changed the password a lot of times, deleted tokens and restart all my platform
The only way to avoid to send spamm is closing the account, the spammer can send mails without password and in locked status.
I want how is the hacker enter to the account, I tried sniffing traffic with tcpdump and wireshark without look. I can´t break TLS using my private key because I got this error:

Code: Select all

association_add ssl.port port 587 handle 000002D49EE99AB0

dissect_ssl enter frame #11 (first time)
packet_from_server: is from server - FALSE
  conversation = 000002D4A05E4B00, ssl_session = 000002D4A05E6530
  record: offset = 0, reported_length_remaining = 271
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 266, ssl state 0x00
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 262 bytes, remaining 271 
Calculating hash with offset 5 266
ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #12 (first time)
packet_from_server: is from server - TRUE
  conversation = 000002D4A05E4B00, ssl_session = 000002D4A05E6530
  record: offset = 0, reported_length_remaining = 2736
ssl_try_set_version found version 0x0303 -> state 0x11
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 61, ssl state 0x11
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 57 bytes, remaining 66 
Calculating hash with offset 5 61
ssl_try_set_version found version 0x0303 -> state 0x11
ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x13
ssl_set_cipher found CIPHER 0xC030 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 -> state 0x17
ssl_load_keyfile dtls/ssl.keylog_file is not configured!
tls13_change_key TLS version 0x303 is not 1.3
tls13_change_key TLS version 0x303 is not 1.3
  record: offset = 66, reported_length_remaining = 2670

And here my auth log with the account in closed status:

Code: Select all

# tailf /var/log/maillog |grep hackedaccount
Oct  2 15:06:32 zimbra-mta postfix/submission/smtpd[21472]: NOQUEUE: filter: RCPT from sandwich2.qwords.net[103.254.154.12]: <hackedaccount@domain.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<hackedaccount@domain.com> to=<flo161164@hotmail.fr> proto=ESMTP helo=<salsabilarp.co.id>
Oct  2 15:06:32 zimbra-mta postfix/submission/smtpd[21472]: NOQUEUE: reject: RCPT from sandwich2.qwords.net[103.254.154.12]: 550 5.1.0 <hackedaccount@domain.com>: Sender address rejected: inau.gub.uy; from=<hackedaccount@domain.com> to=<flo161164@hotmail.fr> proto=ESMTP helo=<salsabilarp.co.id>
Oct  2 15:06:42 zimbra-mta postfix/submission/smtpd[21472]: NOQUEUE: filter: RCPT from sandwich2.qwords.net[103.254.154.12]: <hackedaccount@domain.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<hackedaccount@domain.com> to=<hamoudi.fr@hotmail.fr> proto=ESMTP helo=<salsabilarp.co.id>
Oct  2 15:06:42 zimbra-mta postfix/submission/smtpd[21472]: NOQUEUE: reject: RCPT from sandwich2.qwords.net[103.254.154.12]: 550 5.1.0 <hackedaccount@domain.com>: Sender address rejected: inau.gub.uy; from=<hackedaccount@domain.com> to=<hamoudi.fr@hotmail.fr> proto=ESMTP helo=<salsabilarp.co.id>
Oct  2 15:06:47 zimbra-mta postfix/submission/smtpd[21909]: NOQUEUE: filter: RCPT from sandwich2.qwords.net[103.254.154.12]: <hackedaccount@domain.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<hackedaccount@domain.com> to=<karim.bendjelloul@hotmail.fr> proto=ESMTP helo=<salsabilarp.co.id>
Oct  2 15:06:47 zimbra-mta postfix/submission/smtpd[21909]: NOQUEUE: reject: RCPT from sandwich2.qwords.net[103.254.154.12]: 550 5.1.0 <hackedaccount@domain.com>: Sender address rejected: inau.gub.uy; from=<hackedaccount@domain.com> to=<karim.bendjelloul@hotmail.fr> proto=ESMTP helo=<salsabilarp.co.id>
Oct  2 15:06:53 zimbra-mta postfix/submission/smtpd[21909]: NOQUEUE: filter: RCPT from sandwich2.qwords.net[103.254.154.12]: <hackedaccount@domain.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<hackedaccount@domain.com> to=<franmatic@hotmail.fr> proto=ESMTP helo=<salsabilarp.co.id>
Oct  2 15:06:53 zimbra-mta postfix/submission/smtpd[21909]: NOQUEUE: reject: RCPT from sandwich2.qwords.net[103.254.154.12]: 550 5.1.0 <hackedaccount@domain.com>: Sender address rejected: inau.gub.uy; from=<hackedaccount@domain.com> to=<franmatic@hotmail.fr> proto=ESMTP helo=<salsabilarp.co.id>
Oct  2 15:06:58 zimbra-mta postfix/submission/smtpd[21909]: NOQUEUE: filter: RCPT from sandwich2.qwords.net[103.254.154.12]: <hackedaccount@domain.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<hackedaccount@domain.com> to=<cyril.guillard@hotmail.fr> proto=ESMTP helo=<salsabilarp.co.id>
Oct  2 15:06:58 zimbra-mta postfix/submission/smtpd[21909]: NOQUEUE: reject: RCPT from sandwich2.qwords.net[103.254.154.12]: 550 5.1.0 <hackedaccount@domain.com>: Sender address rejected: inau.gub.uy; from=<hackedaccount@domain.com> to=<cyril.guillard@hotmail.fr> proto=ESMTP helo=<salsabilarp.co.id>
Oct  2 15:07:14 zimbra-mta postfix/submission/smtpd[23039]: NOQUEUE: filter: RCPT from sandwich2.qwords.net[103.254.154.12]: <hackedaccount@domain.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<hackedaccount@domain.com> to=<gaston.delcoyl@wanadoo.fr> proto=ESMTP helo=<salsabilarp.co.id>
Oct  2 15:07:14 zimbra-mta postfix/submission/smtpd[23039]: NOQUEUE: reject: RCPT from sandwich2.qwords.net[103.254.154.12]: 550 5.1.0 <hackedaccount@domain.com>: Sender address rejected: inau.gub.uy; from=<hackedaccount@domain.com> to=<gaston.delcoyl@wanadoo.fr> proto=ESMTP helo=<salsabilarp.co.id>
I don´t know how to solve this situation, I can´t block his oip because he have got a very big botnet!

Thanks for your help.
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

Re: Account hacked in 8.6 P8 impossible to block. Possible bug!

Post by jorgedlcruz »

Hello,
do you have implemented the next on your server?
https://wiki.zimbra.com/wiki/Enforcing_ ... ername_8.5

Best regards
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
Newtman
Posts: 8
Joined: Mon Mar 13, 2017 4:45 pm
Location: Montevideo, Uruguay
ZCS/ZD Version: ZCS 8.8.15 and ZCS 9.0.0

Re: Account hacked in 8.6 P8 impossible to block. Possible bug!

Post by Newtman »

jorgedlcruz wrote:Hello,
do you have implemented the next on your server?
https://wiki.zimbra.com/wiki/Enforcing_ ... ername_8.5

Best regards
Hello Jorge,
No, I don´t but isn´t me scenario look this my /var/log/zimbra.log:

Code: Select all

Oct  2 16:48:45 zimbra-mta saslauthd[16686]: auth_zimbra: hackedaccount@domain.com auth failed: authentication failed for [hackedaccount@domain.com]
Oct  2 16:48:45 zimbra-mta saslauthd[16686]: do_auth         : auth failure: [user=hackedaccount@domain.com] [service=smtp] [realm=domain.com] [mech=zimbra] [reason=Unknown]
Oct  2 16:48:45 zimbra-mta saslauthd[16686]: do_auth         : auth failure: [user=hackedaccount@domain.com] [service=smtp] [realm=domain.com] [mech=zimbra] [reason=Unknown]
Oct  2 16:48:48 zimbra-mta saslauthd[16687]: auth_zimbra: hackedaccount@domain.com auth OK
Oct  2 16:48:49 zimbra-mta postfix/submission/smtpd[28970]: NOQUEUE: filter: RCPT from ipisu.nichost.ru[178.210.78.20]: <hackedaccount@domain.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<hackedaccount@domain.com> to=<superbcement@gmail.com> proto=ESMTP helo=<ipisu.ru>
Oct  2 16:48:49 zimbra-mta postfix/submission/smtpd[28970]: NOQUEUE: reject: RCPT from ipisu.nichost.ru[178.210.78.20]: 550 5.1.0 <hackedaccount@domain.com>: Sender address rejected: domain.com; from=<hackedaccount@domain.com> to=<superbcement@gmail.com> proto=ESMTP helo=<ipisu.ru>
Oct  2 16:48:53 zimbra-mta saslauthd[16688]: zmpost: url='https://zimbrambx01.domain.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for [hackedaccount@domain.com]</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>qtp509886383-55727:https://192.168.199.10:7071/service/admin/soap/:1506973729588:6b36b41b0d972cda</Trace></Error></soap:Detail></soap:Fault></soap:Body></soap:Envelope>', hti->error=''
Oct  2 16:48:53 zimbra-mta saslauthd[16688]: auth_zimbra: hackedaccount@domain.com auth failed: authentication failed for [hackedaccount@domain.com]
Oct  2 16:48:53 zimbra-mta saslauthd[16688]: do_auth         : auth failure: [user=hackedaccount@domain.com] [service=smtp] [realm=domain.com] [mech=zimbra] [reason=Unknown]
Oct  2 16:48:56 zimbra-mta saslauthd[16668]: zmpost: url='https://zimbrambx01.domain.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for [hackedaccount@domain.com]</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>qtp509886383-56100:https://192.168.199.10:7071/service/admin/soap/:1506973733241:6b36b41b0d972cda</Trace></Error></soap:Detail></soap:Fault></soap:Body></soap:Envelope>', hti->error=''
Oct  2 16:48:56 zimbra-mta saslauthd[16668]: auth_zimbra: hackedaccount@domain.com auth failed: authentication failed for [hackedaccount@domain.com]
Oct  2 16:48:56 zimbra-mta saslauthd[16668]: do_auth         : auth failure: [user=hackedaccount@domain.com] [service=smtp] [realm=domain.com] [mech=zimbra] [reason=Unknown]
Oct  2 16:49:00 zimbra-mta saslauthd[16688]: auth_zimbra: hackedaccount@domain.com auth OK
Oct  2 16:49:01 zimbra-mta postfix/submission/smtpd[28219]: NOQUEUE: filter: RCPT from ipisu.nichost.ru[178.210.78.20]: <hackedaccount@domain.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<hackedaccount@domain.com> to=<roqueja0@hotmail.com> proto=ESMTP helo=<ipisu.ru>
Oct  2 16:49:01 zimbra-mta postfix/submission/smtpd[28219]: NOQUEUE: reject: RCPT from ipisu.nichost.ru[178.210.78.20]: 550 5.1.0 <hackedaccount@domain.com>: Sender address rejected: domain.com; from=<hackedaccount@domain.com> to=<roqueja0@hotmail.com> proto=ESMTP helo=<ipisu.ru>
Now the account is closed, if is locked the mails go out
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

Re: Account hacked in 8.6 P8 impossible to block. Possible bug!

Post by jorgedlcruz »

Hello,
The IPs come from the same host, you can block their IP. Also the log says

Code: Select all

auth_zimbra: hackedaccount@domain.com auth OK
So I guess they know the password, it's really weird, I will need to replicate the error on my lab.

Best regards
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
iomarmochtar
Posts: 41
Joined: Sat Sep 13, 2014 3:54 am
Location: Indonesia
Contact:

Re: Account hacked in 8.6 P8 impossible to block. Possible bug!

Post by iomarmochtar »

Is the spammer only using specified account only ? if so you may try to use truly randomized password. converting to base64 for instance.

Code: Select all

zmprov sp hackedaccount@mail.com `echo "s3cret_sauC3" | base64`
Newtman
Posts: 8
Joined: Mon Mar 13, 2017 4:45 pm
Location: Montevideo, Uruguay
ZCS/ZD Version: ZCS 8.8.15 and ZCS 9.0.0

Re: Account hacked in 8.6 P8 impossible to block. Possible bug!

Post by Newtman »

jorgedlcruz wrote:Hello,
The IPs come from the same host, you can block their IP. Also the log says

Code: Select all

auth_zimbra: hackedaccount@domain.com auth OK
So I guess they know the password, it's really weird, I will need to replicate the error on my lab.

Best regards
He renew his IP really quickly, 5-10 minutes from a lot of countries.
iomarmochtar wrote:Is the spammer only using specified account only ? if so you may try to use truly randomized password. converting to base64 for instance.

Code: Select all

zmprov sp hackedaccount@mail.com `echo "s3cret_sauC3" | base64`
Thanks but doesn´t work... He´s still conecting to the account! Don´t forgot, the status is locked. I restarted MTA after ever change...

I don´t understand how he´s doing it and why with only one account
Post Reply