Today I found this thread just pursuing this situation and as far as I was keeping my eye on this.
I have been atacked by the end of March. I found this situation, by early April during a casual maintence on the server. On this date, I haven't got any logs (due log-roll) but on these last days my server has been touched again. So I could fetch for more information and, when I has got almost all the info, I found this forum. I read all messages, and I thought I could try to help.
My case is a Zimbra behind a relay, so first I step I made is to block all connections to/from internet throught my firewall at least as soon as I had made all investigation during these days
I found more IP addresses, but I think these ones are not interesting as far as it can vary from today to tomorrow. ISP's has been notified...but this is not the first time I do notifications, so I have not any expectations to be replied at all.
My found IP's
18.104.22.168 - China
22.214.171.124 - Alemania This is the <<account's creator>>
126.96.36.199 - Jakarta
188.8.131.52 - Trying to authenticate
184.108.40.206 - Trying to authenticate
...and calling-back home each 15 minutes:
It was funny to see that, after blocking these ones, begin to call each minute
Fortunately, it don't seems to go further, but I will keep an eye on my system.
an interesting point that I didn't read here...All connections has been identified coming from a Macintosh; Intel Mac OS X 10_8_2
Now, to reply some posts:
maxxer wrote:I wrote some guidelines on the behaviour of the attack and how to clean zmcat....
Maxxer. Thank you for your guide. I needed to follow the lines as far as my zimbra install differsa liitle bit
maxxer wrote:Has anyone with recurring infections checked if the attacker uploaded a key to /opt/zimbra/.ssh/authorized_keys? Or if there are remote ssh logins for the zimbra user?
Not up to now...but on my (main) server I found connections each hour to ssh coming from the above mentioned IP since the first attack, so I guess it's trying to do so
JDunphy wrote:I am working on a few tools to help with some proactive detection based on log analysis and came across greynoise today which can provide some information about the reputation of connecting ip's...
JDunphy - If still interested, I have got all data I found.
Now...time for my feared update to 8.8