I´m sysadmin of a big Zimbra Collaboration 8.6.0 P8 running on CentOS 6.7, everyday a bunch of accouts are hacked using phishing by spammers...
Las week an account was hacked, I locked it and changed password... But the account is still working!
The status is locked, I changed the password a lot of times, deleted tokens and restart all my platform
The only way to avoid to send spamm is closing the account, the spammer can send mails without password and in locked status.
I want how is the hacker enter to the account, I tried sniffing traffic with tcpdump and wireshark without look. I can´t break TLS using my private key because I got this error:
Code: Select all
association_add ssl.port port 587 handle 000002D49EE99AB0
dissect_ssl enter frame #11 (first time)
packet_from_server: is from server - FALSE
conversation = 000002D4A05E4B00, ssl_session = 000002D4A05E6530
record: offset = 0, reported_length_remaining = 271
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 266, ssl state 0x00
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 262 bytes, remaining 271
Calculating hash with offset 5 266
ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01
dissect_ssl enter frame #12 (first time)
packet_from_server: is from server - TRUE
conversation = 000002D4A05E4B00, ssl_session = 000002D4A05E6530
record: offset = 0, reported_length_remaining = 2736
ssl_try_set_version found version 0x0303 -> state 0x11
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 61, ssl state 0x11
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 57 bytes, remaining 66
Calculating hash with offset 5 61
ssl_try_set_version found version 0x0303 -> state 0x11
ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x13
ssl_set_cipher found CIPHER 0xC030 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 -> state 0x17
ssl_load_keyfile dtls/ssl.keylog_file is not configured!
tls13_change_key TLS version 0x303 is not 1.3
tls13_change_key TLS version 0x303 is not 1.3
record: offset = 66, reported_length_remaining = 2670
And here my auth log with the account in closed status:
Code: Select all
# tailf /var/log/maillog |grep hackedaccount
Oct 2 15:06:32 zimbra-mta postfix/submission/smtpd[21472]: NOQUEUE: filter: RCPT from sandwich2.qwords.net[103.254.154.12]: <hackedaccount@domain.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<hackedaccount@domain.com> to=<flo161164@hotmail.fr> proto=ESMTP helo=<salsabilarp.co.id>
Oct 2 15:06:32 zimbra-mta postfix/submission/smtpd[21472]: NOQUEUE: reject: RCPT from sandwich2.qwords.net[103.254.154.12]: 550 5.1.0 <hackedaccount@domain.com>: Sender address rejected: inau.gub.uy; from=<hackedaccount@domain.com> to=<flo161164@hotmail.fr> proto=ESMTP helo=<salsabilarp.co.id>
Oct 2 15:06:42 zimbra-mta postfix/submission/smtpd[21472]: NOQUEUE: filter: RCPT from sandwich2.qwords.net[103.254.154.12]: <hackedaccount@domain.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<hackedaccount@domain.com> to=<hamoudi.fr@hotmail.fr> proto=ESMTP helo=<salsabilarp.co.id>
Oct 2 15:06:42 zimbra-mta postfix/submission/smtpd[21472]: NOQUEUE: reject: RCPT from sandwich2.qwords.net[103.254.154.12]: 550 5.1.0 <hackedaccount@domain.com>: Sender address rejected: inau.gub.uy; from=<hackedaccount@domain.com> to=<hamoudi.fr@hotmail.fr> proto=ESMTP helo=<salsabilarp.co.id>
Oct 2 15:06:47 zimbra-mta postfix/submission/smtpd[21909]: NOQUEUE: filter: RCPT from sandwich2.qwords.net[103.254.154.12]: <hackedaccount@domain.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<hackedaccount@domain.com> to=<karim.bendjelloul@hotmail.fr> proto=ESMTP helo=<salsabilarp.co.id>
Oct 2 15:06:47 zimbra-mta postfix/submission/smtpd[21909]: NOQUEUE: reject: RCPT from sandwich2.qwords.net[103.254.154.12]: 550 5.1.0 <hackedaccount@domain.com>: Sender address rejected: inau.gub.uy; from=<hackedaccount@domain.com> to=<karim.bendjelloul@hotmail.fr> proto=ESMTP helo=<salsabilarp.co.id>
Oct 2 15:06:53 zimbra-mta postfix/submission/smtpd[21909]: NOQUEUE: filter: RCPT from sandwich2.qwords.net[103.254.154.12]: <hackedaccount@domain.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<hackedaccount@domain.com> to=<franmatic@hotmail.fr> proto=ESMTP helo=<salsabilarp.co.id>
Oct 2 15:06:53 zimbra-mta postfix/submission/smtpd[21909]: NOQUEUE: reject: RCPT from sandwich2.qwords.net[103.254.154.12]: 550 5.1.0 <hackedaccount@domain.com>: Sender address rejected: inau.gub.uy; from=<hackedaccount@domain.com> to=<franmatic@hotmail.fr> proto=ESMTP helo=<salsabilarp.co.id>
Oct 2 15:06:58 zimbra-mta postfix/submission/smtpd[21909]: NOQUEUE: filter: RCPT from sandwich2.qwords.net[103.254.154.12]: <hackedaccount@domain.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<hackedaccount@domain.com> to=<cyril.guillard@hotmail.fr> proto=ESMTP helo=<salsabilarp.co.id>
Oct 2 15:06:58 zimbra-mta postfix/submission/smtpd[21909]: NOQUEUE: reject: RCPT from sandwich2.qwords.net[103.254.154.12]: 550 5.1.0 <hackedaccount@domain.com>: Sender address rejected: inau.gub.uy; from=<hackedaccount@domain.com> to=<cyril.guillard@hotmail.fr> proto=ESMTP helo=<salsabilarp.co.id>
Oct 2 15:07:14 zimbra-mta postfix/submission/smtpd[23039]: NOQUEUE: filter: RCPT from sandwich2.qwords.net[103.254.154.12]: <hackedaccount@domain.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<hackedaccount@domain.com> to=<gaston.delcoyl@wanadoo.fr> proto=ESMTP helo=<salsabilarp.co.id>
Oct 2 15:07:14 zimbra-mta postfix/submission/smtpd[23039]: NOQUEUE: reject: RCPT from sandwich2.qwords.net[103.254.154.12]: 550 5.1.0 <hackedaccount@domain.com>: Sender address rejected: inau.gub.uy; from=<hackedaccount@domain.com> to=<gaston.delcoyl@wanadoo.fr> proto=ESMTP helo=<salsabilarp.co.id>
Thanks for your help.