One of user account is hacked and spam out last week. We already changed his password and clean up all spam mail. We monitor 3 days.
But today we found in server audit log. its quit strange that someone to use localhost / own internal IP connect to admin console. Although its auth failed, we wonder whether our server have problems.
log details:-
2018-11-05 22:20:03,148 INFO [qtp509886383-511:https://127.0.0.1:7071/service/admin/soap/AuthRequest] [name=zimbra;ip=127.0.0.1;ua=zmpro v/8.6.0_GA_1153;] security - cmd=AdminAuth; account=zimbra;
2018-11-05 22:20:03,157 INFO [qtp509886383-511:https://127.0.0.1:7071/service/admin/soap/AuthRequest] [name=zimbra;ip=127.0.0.1;ua=zmpro v/8.6.0_GA_1153;] security - cmd=Auth; account=zimbra; protocol=soap;
2018-11-05 22:20:04,158 WARN [qtp509886383-510:https://192.168.x.x:7071/service/admin/soap/] [name=admin@xxx.com;ip=192.168.x.x;] security - cmd=Auth; account=admin@xxx.com; protocol=soap; error=authentication failed for [admin], invalid password;
Our server is Ubuntu 14.04 LTS Zimbra 8.6 . Server is in cloud server. it is only connect with another IMSVA server and firewall.
I don't know how to figure out the problems. how to trace [qtp509886383-510] , is not IP??
Any experienced user face this case?? any idea for me ??
Please help.
Server is hacked??
Re: Server is hacked??
Have you tried to get a list of login's trying from the zimbra.log? you can try this command: cat /var/log/zimbra.log | grep sasl_username > list
-
- Posts: 5
- Joined: Mon Nov 05, 2018 2:23 pm
Re: Server is hacked??
I tried cat /var/log/zimbra.log | grep sasl_username > list.
but nothing display.
I found that zombie process, Is it a problem??
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
zimbra 11131 0.0 0.0 0 0 ? Z Nov05 0:00 [sh] <defunct>
root@mail:~# pstree -p -s 11131
init(1)auditswatch(26753)perl(26757)sh(11131)
root@mail:~# ps -eaf |grep 26753
zimbra 26753 1 0 Oct29 ? 00:00:00 /usr/bin/perl /opt/zimbra/libexec/auditswatch --config-file=/opt/zimbra/conf/auditswatchrc --use-cpan-file-tail --script-dir=/opt/zimbra/data/tmp --tail-file /opt/zimbra/log/audit.log
zimbra 26757 26753 0 Oct29 ? 00:06:33 /usr/bin/perl /opt/zimbra/data/tmp/.swatch_script.26753
But it seems zimbra process..... I am not sure.
but nothing display.
I found that zombie process, Is it a problem??
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
zimbra 11131 0.0 0.0 0 0 ? Z Nov05 0:00 [sh] <defunct>
root@mail:~# pstree -p -s 11131
init(1)auditswatch(26753)perl(26757)sh(11131)
root@mail:~# ps -eaf |grep 26753
zimbra 26753 1 0 Oct29 ? 00:00:00 /usr/bin/perl /opt/zimbra/libexec/auditswatch --config-file=/opt/zimbra/conf/auditswatchrc --use-cpan-file-tail --script-dir=/opt/zimbra/data/tmp --tail-file /opt/zimbra/log/audit.log
zimbra 26757 26753 0 Oct29 ? 00:06:33 /usr/bin/perl /opt/zimbra/data/tmp/.swatch_script.26753
But it seems zimbra process..... I am not sure.
-
- Posts: 5
- Joined: Mon Nov 05, 2018 2:23 pm
Re: Server is hacked??
Still can not find out what problems??
Today, it tried to login until admin account is lockout.
2018-11-13 07:46:09,023 WARN [qtp509886383-67832:https://192.168.0.2:7071/service/admin/soap/] [name=admin@nexusxxxx.com;ip=192.168.0.2;] security - cmd=Auth; account=admin@nexusxxxx.com; protocol=soap; error=authentication failed for [admin], account lockout;
Any tools I can use to scan whether my zimbra getting hack???
Today, it tried to login until admin account is lockout.
2018-11-13 07:46:09,023 WARN [qtp509886383-67832:https://192.168.0.2:7071/service/admin/soap/] [name=admin@nexusxxxx.com;ip=192.168.0.2;] security - cmd=Auth; account=admin@nexusxxxx.com; protocol=soap; error=authentication failed for [admin], account lockout;
Any tools I can use to scan whether my zimbra getting hack???
- DualBoot
- Elite member
- Posts: 1326
- Joined: Mon Apr 18, 2016 8:18 pm
- Location: France - Earth
- ZCS/ZD Version: ZCS FLOSS - 8.8.15 Mutli servers
- Contact:
Re: Server is hacked??
Hello,
it looks like you have been brute forced. In this case not only SMTP authentification could have been targeted, so
you must look in the /opt/zimbra/log/audit.log to see if there are some trails.
You can use fail2ban to stop this kind of attack.
Regards,
it looks like you have been brute forced. In this case not only SMTP authentification could have been targeted, so
you must look in the /opt/zimbra/log/audit.log to see if there are some trails.
You can use fail2ban to stop this kind of attack.
Regards,