Serious problem exploits "brute force attack"

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
cisco72
Posts: 12
Joined: Sat Sep 13, 2014 2:53 am

Serious problem exploits "brute force attack"

Post by cisco72 »

Hello everyone, I have been the victim of an attack on my server, my server does not publish the 7071 port, the attack seems to originate from the same server, i changed the password but there are continuous attempts to login.
The server has been upgraded to the latest releases and patches.
I report under the log, please help me!!

/opt/zimbra/log/audit.log
2016-05-30 09:38:50,895 WARN [qtp509886383-1580:https://10.0.2.1:7071/service/admin/soap/] [name=f.onorato@eurotelag.com;ip=10.0.2.1;] security - cmd=Auth; account=f.onorato@eurotelag.com; protocol=soap; error=authentication failed for [f.onorato@eurotelag.com], invalid password;

/opt/zimbra/log/mailbox.log
2016-05-30 09:38:50,147 INFO [qtp509886383-1562:https://10.0.2.1:7071/service/admin/soap/] [name=f.onorato@eurotelag.com;ip=10.0.2.1;] SoapEngine - handler exception: authentication failed for [f.onorato@eurotelag.com], invalid password
2016-05-30 09:38:50,147 INFO [qtp509886383-1562:https://10.0.2.1:7071/service/admin/soap/] [name=f.onorato@eurotelag.com;ip=10.0.2.1;] soap - AuthRequest elapsed=0

/var/log/zimbra.log
May 30 09:56:18 mail saslauthd[7685]: zmpost: url='https://mail.eurotelag.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope ... r><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for [f.onorato@eurotelag.com]</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>qtp509886383-1765:https://10.0.2.1:7071/service/admin/soa ... p:Envelope>', hti->error=''
May 30 09:56:18 mail saslauthd[7685]: auth_zimbra: f.onorato@eurotelag.com auth failed: authentication failed for [f.onorato@eurotelag.com]
May 30 09:56:18 mail saslauthd[7685]: do_auth : auth failure: [user=f.onorato@eurotelag.com] [service=smtp] [realm=eurotelag.com] [mech=zimbra] [reason=Unknown]

/var/log/auth.log
May 30 09:56:18 mail saslauthd[7685]: zmpost: url='https://mail.eurotelag.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope ... r><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for [f.onorato@eurotelag.com]</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>qtp509886383-1765:https://10.0.2.1:7071/service/admin/soa ... p:Envelope>', hti->error=''
May 30 09:56:18 mail saslauthd[7685]: auth_zimbra: f.onorato@eurotelag.com auth failed: authentication failed for [f.onorato@eurotelag.com]
May 30 09:56:18 mail saslauthd[7685]: do_auth : auth failure: [user=f.onorato@eurotelag.com] [service=smtp] [realm=eurotelag.com] [mech=zimbra] [reason=Unknown]
cisco72
Posts: 12
Joined: Sat Sep 13, 2014 2:53 am

Re: Serious problem exploits "brute force attack"

Post by cisco72 »

Hello,
I noticed that if I put the original password the server starts sending spam can someone give me help.

Thanks!!
babyporch
Posts: 3
Joined: Thu Mar 22, 2007 6:36 am

Re: Serious problem exploits "brute force attack"

Post by babyporch »

I think your account was hacked (worm or password discovered via web interface).

Simply change the password and do not put the oldest.

The logs show the authentication attempt.

Ciao Francesco.
cisco72
Posts: 12
Joined: Sat Sep 13, 2014 2:53 am

Re: Serious problem exploits "brute force attack"

Post by cisco72 »

Hello babyporch,

the problem stems from the fact that 7071 has never been exposed to intrnet, from un'output netstat I see that the connections are generated by the same ip of the server
This makes me think of a script or other which stands running on the server

Ciao Claudio
sastia
Posts: 1
Joined: Fri Aug 05, 2016 2:57 pm

Re: Serious problem exploits "brute force attack"

Post by sastia »

Hi Cisco72,

Did you ever find the cause of the problem? I'm having exactly the same situation. The attempts to connect seem to come from the server itself. I'm trying to find a bogus process that is launching the attemps without success.

Any comment will be appreciated.
v1rtu4l
Posts: 36
Joined: Tue Jun 28, 2016 3:04 pm

Re: Serious problem exploits "brute force attack"

Post by v1rtu4l »

If the connection is from the own ip address that only means that it is a Login via Web Interface


Gesendet von meinem SM-N910F mit Tapatalk
ALP_88
Posts: 6
Joined: Thu Aug 25, 2016 1:48 am

Re: Serious problem exploits "brute force attack"

Post by ALP_88 »

Hello everyone, I find myself with the same problem and I could not solve it. Someone found the solution ..? Thank you very much
liverpoolfcfan
Elite member
Elite member
Posts: 1096
Joined: Sat Sep 13, 2014 12:47 am

Re: Serious problem exploits "brute force attack"

Post by liverpoolfcfan »

Someone is trying to send authenticated email from outside your server - using the submission port (465)

If you open /var/log/zimbra.log and search for one of the saslauthd lines you quoted you will find that the preceeding 3 lines should give you the information about the source of the connection.

For example

Aug 25 07:29:47 mail postfix/submission/smtpd[16296]: connect from mail-it0-f51.google.com[209.85.214.51]
Aug 25 07:29:48 mail postfix/submission/smtpd[16296]: Anonymous TLS connection established from mail-it0-f51.google.com[209.85.214.51]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Aug 25 07:29:48 mail saslauthd[4831]: zmauth: authenticating against elected url 'https://yourServer:7071/service/admin/soap/' ...
Aug 25 07:29:49 mail saslauthd[4831]: zmpost: url='https://yourServer:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope ... r><context xmlns="urn:zimbra"><change token="223912"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken> removed </authToken><lifetime>86400000</lifetime><skin>harmony</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''

Here you can see the incoming connection was from google.com - and in my case this was a legitimate connection.

You should be able yo use the IP Address quoted to block the connection using the firewall.
User avatar
MartinsBonders
Posts: 22
Joined: Wed May 18, 2016 8:12 am

Re: Serious problem exploits "brute force attack"

Post by MartinsBonders »

Yes, the same problem started 2 days ago! 7071 have access list from only 2 IP, but log is full of IP's accessing this port. Is this Zimbra exploit?!
7224jobe
Outstanding Member
Outstanding Member
Posts: 283
Joined: Sat Sep 13, 2014 1:55 am
ZCS/ZD Version: 8.8.15_FOSS Patch38

Re: Serious problem exploits "brute force attack"

Post by 7224jobe »

Same problem here...successful login attempts to admin web page (port 7071) from within the server.
In zimbra.log I see:

Code: Select all

Apr 19 19:06:33 mail saslauthd[8160]: auth_zimbra: user1 auth OK
Apr 19 19:07:03 mail saslauthd[8161]: zmauth: authenticating against elected url 'https://mail.domain.com:7071/service/admin/soap/' ...
Apr 19 19:07:03 mail saslauthd[8161]: zmpost: url='https://mail.domain.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><change token="20959"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_d1dd00e7eb79810aadaa9b5c4b3d97df8979b9e9_69643d33363a62343038346134362d333733362d346234342d626630642d34376562326531698755773b6578703d31333a31343932895423687393b76763d313a313b747970653d363a7a696d6272613b7469643d31303a9515669752444303b76657273696f6e3d31333a382e362e305f47415f313135333b</authToken><lifetime>172799998</lifetime><skin>serenity</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''
But user1 is not an administrator...

[zimbra@mail ~]$ zmcontrol -v
Release 8.6.0_GA_1153.RHEL6_64_20141215151155 RHEL6_64 FOSS edition, Patch 8.6.0_P7.
Post Reply