Page 1 of 2

Serious problem exploits "brute force attack"

Posted: Mon May 30, 2016 8:01 am
by cisco72
Hello everyone, I have been the victim of an attack on my server, my server does not publish the 7071 port, the attack seems to originate from the same server, i changed the password but there are continuous attempts to login.
The server has been upgraded to the latest releases and patches.
I report under the log, please help me!!

/opt/zimbra/log/audit.log
2016-05-30 09:38:50,895 WARN [qtp509886383-1580:https://10.0.2.1:7071/service/admin/soap/] [name=f.onorato@eurotelag.com;ip=10.0.2.1;] security - cmd=Auth; account=f.onorato@eurotelag.com; protocol=soap; error=authentication failed for [f.onorato@eurotelag.com], invalid password;

/opt/zimbra/log/mailbox.log
2016-05-30 09:38:50,147 INFO [qtp509886383-1562:https://10.0.2.1:7071/service/admin/soap/] [name=f.onorato@eurotelag.com;ip=10.0.2.1;] SoapEngine - handler exception: authentication failed for [f.onorato@eurotelag.com], invalid password
2016-05-30 09:38:50,147 INFO [qtp509886383-1562:https://10.0.2.1:7071/service/admin/soap/] [name=f.onorato@eurotelag.com;ip=10.0.2.1;] soap - AuthRequest elapsed=0

/var/log/zimbra.log
May 30 09:56:18 mail saslauthd[7685]: zmpost: url='https://mail.eurotelag.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for [f.onorato@eurotelag.com]</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>qtp509886383-1765:https://10.0.2.1:7071/service/admin/soap/:1464594978133:a61ce3380f5134a9</Trace></Error></soap:Detail></soap:Fault></soap:Body></soap:Envelope>', hti->error=''
May 30 09:56:18 mail saslauthd[7685]: auth_zimbra: f.onorato@eurotelag.com auth failed: authentication failed for [f.onorato@eurotelag.com]
May 30 09:56:18 mail saslauthd[7685]: do_auth : auth failure: [user=f.onorato@eurotelag.com] [service=smtp] [realm=eurotelag.com] [mech=zimbra] [reason=Unknown]

/var/log/auth.log
May 30 09:56:18 mail saslauthd[7685]: zmpost: url='https://mail.eurotelag.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for [f.onorato@eurotelag.com]</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>qtp509886383-1765:https://10.0.2.1:7071/service/admin/soap/:1464594978133:a61ce3380f5134a9</Trace></Error></soap:Detail></soap:Fault></soap:Body></soap:Envelope>', hti->error=''
May 30 09:56:18 mail saslauthd[7685]: auth_zimbra: f.onorato@eurotelag.com auth failed: authentication failed for [f.onorato@eurotelag.com]
May 30 09:56:18 mail saslauthd[7685]: do_auth : auth failure: [user=f.onorato@eurotelag.com] [service=smtp] [realm=eurotelag.com] [mech=zimbra] [reason=Unknown]

Re: Serious problem exploits "brute force attack"

Posted: Mon May 30, 2016 12:19 pm
by cisco72
Hello,
I noticed that if I put the original password the server starts sending spam can someone give me help.

Thanks!!

Re: Serious problem exploits "brute force attack"

Posted: Wed Jun 01, 2016 8:07 am
by babyporch
I think your account was hacked (worm or password discovered via web interface).

Simply change the password and do not put the oldest.

The logs show the authentication attempt.

Ciao Francesco.

Re: Serious problem exploits "brute force attack"

Posted: Wed Jun 01, 2016 9:22 am
by cisco72
Hello babyporch,

the problem stems from the fact that 7071 has never been exposed to intrnet, from un'output netstat I see that the connections are generated by the same ip of the server
This makes me think of a script or other which stands running on the server

Ciao Claudio

Re: Serious problem exploits "brute force attack"

Posted: Fri Aug 05, 2016 3:25 pm
by sastia
Hi Cisco72,

Did you ever find the cause of the problem? I'm having exactly the same situation. The attempts to connect seem to come from the server itself. I'm trying to find a bogus process that is launching the attemps without success.

Any comment will be appreciated.

Re: Serious problem exploits "brute force attack"

Posted: Sat Aug 06, 2016 6:38 pm
by v1rtu4l
If the connection is from the own ip address that only means that it is a Login via Web Interface


Gesendet von meinem SM-N910F mit Tapatalk

Re: Serious problem exploits "brute force attack"

Posted: Thu Aug 25, 2016 1:56 am
by ALP_88
Hello everyone, I find myself with the same problem and I could not solve it. Someone found the solution ..? Thank you very much

Re: Serious problem exploits "brute force attack"

Posted: Thu Aug 25, 2016 2:38 pm
by liverpoolfcfan
Someone is trying to send authenticated email from outside your server - using the submission port (465)

If you open /var/log/zimbra.log and search for one of the saslauthd lines you quoted you will find that the preceeding 3 lines should give you the information about the source of the connection.

For example

Aug 25 07:29:47 mail postfix/submission/smtpd[16296]: connect from mail-it0-f51.google.com[209.85.214.51]
Aug 25 07:29:48 mail postfix/submission/smtpd[16296]: Anonymous TLS connection established from mail-it0-f51.google.com[209.85.214.51]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Aug 25 07:29:48 mail saslauthd[4831]: zmauth: authenticating against elected url 'https://yourServer:7071/service/admin/soap/' ...
Aug 25 07:29:49 mail saslauthd[4831]: zmpost: url='https://yourServer:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><change token="223912"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken> removed </authToken><lifetime>86400000</lifetime><skin>harmony</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''

Here you can see the incoming connection was from google.com - and in my case this was a legitimate connection.

You should be able yo use the IP Address quoted to block the connection using the firewall.

Re: Serious problem exploits "brute force attack"

Posted: Fri Dec 30, 2016 1:32 pm
by MartinsBonders
Yes, the same problem started 2 days ago! 7071 have access list from only 2 IP, but log is full of IP's accessing this port. Is this Zimbra exploit?!

Re: Serious problem exploits "brute force attack"

Posted: Wed Apr 19, 2017 5:20 pm
by 7224jobe
Same problem here...successful login attempts to admin web page (port 7071) from within the server.
In zimbra.log I see:

Code: Select all

Apr 19 19:06:33 mail saslauthd[8160]: auth_zimbra: user1 auth OK
Apr 19 19:07:03 mail saslauthd[8161]: zmauth: authenticating against elected url 'https://mail.domain.com:7071/service/admin/soap/' ...
Apr 19 19:07:03 mail saslauthd[8161]: zmpost: url='https://mail.domain.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><change token="20959"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_d1dd00e7eb79810aadaa9b5c4b3d97df8979b9e9_69643d33363a62343038346134362d333733362d346234342d626630642d34376562326531698755773b6578703d31333a31343932895423687393b76763d313a313b747970653d363a7a696d6272613b7469643d31303a9515669752444303b76657273696f6e3d31333a382e362e305f47415f313135333b</authToken><lifetime>172799998</lifetime><skin>serenity</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''


But user1 is not an administrator...

[zimbra@mail ~]$ zmcontrol -v
Release 8.6.0_GA_1153.RHEL6_64_20141215151155 RHEL6_64 FOSS edition, Patch 8.6.0_P7.