Zimbra Proxy Refers to Wrong Upstream

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
imanudin11
Outstanding Member
Outstanding Member
Posts: 304
Joined: Sat Sep 13, 2014 2:23 am
ZCS/ZD Version: Release 8.8.15.GA.3829.UBUNTU16.64
Contact:

Zimbra Proxy Refers to Wrong Upstream

Post by imanudin11 »

Hi All,
I use Zimbra OSE 8.8.15 single server. I see a strange log in nginx.log. Upstream server refers to the wrong host/server. Especially POPs and IMAPs connection. Below is my system

Code: Select all

OS : CentOS Linux release 7.8.2003 (Core)
Zimbra : Release 8.8.15_GA_3869.RHEL7_64_20190917004220 RHEL7_64 FOSS edition, Patch 8.8.15_P14
IP Address : 192.198.3.210
and below is a strange log in nginx.log

Code: Select all

2021/06/05 03:01:34 [info] 16642#0: *2616562 proxied session done, client: 123.xx.xx.xx:57782, server: 0.0.0.0:995, login: "user.xxxx@xxxxxxx.com", upstream: 31.7.62.81:7995 (123.xx.xx.xx:57782->192.198.3.210:995) <=> (192.198.3.210:36054->31.7.62.81:7995)
Upstream refers to 31.7.62.81:7995. I try to check this IP 31.7.62.81 using NMAP and ports 80,993,995,7993 and 7995 are open.

Code: Select all

Nmap scan report for 31.7.62.81
Host is up (0.12s latency).

PORT     STATE  SERVICE
80/tcp   open   http
443/tcp  closed https
993/tcp  open   imaps
995/tcp  open   pop3s
7993/tcp open   unknown
7995/tcp open   unknown
8080/tcp closed http-proxy
8443/tcp closed https-alt
POP and IMAP connections from the email client are working fine. Although upstream connect to this IP 31.7.62.81. However, I'm worried if there is an intercept on this server 31.7.62.81

what I'm doing right now is

- Block connection from and to this IP 31.7.62.81
- purging route with this command /opt/zimbra/libexec/zmproxypurge

I have more than 3 servers that have similar problems. All upstream refers to 31.7.62.81
cirrus
Posts: 2
Joined: Sun May 10, 2020 1:06 am

Re: Zimbra Proxy Refers to Wrong Upstream

Post by cirrus »

Imanudin, have you diagnosed the problem? I see something similar on one of our system. IP of the upstream server is different: 45.14.227.108, but the rest is the same. If it is some kind of exploit, it would allow the third party (45.14.227.108) to eavesdrop credentials used, so it seems to be potentially very dangerous. The connections disappear after restarting Zimbra, but after some time they appear again.
imanudin11
Outstanding Member
Outstanding Member
Posts: 304
Joined: Sat Sep 13, 2014 2:23 am
ZCS/ZD Version: Release 8.8.15.GA.3829.UBUNTU16.64
Contact:

Re: Zimbra Proxy Refers to Wrong Upstream

Post by imanudin11 »

cirrus wrote:Imanudin, have you diagnosed the problem? I see something similar on one of our system. IP of the upstream server is different: 45.14.227.108, but the rest is the same. If it is some kind of exploit, it would allow the third party (45.14.227.108) to eavesdrop credentials used, so it seems to be potentially very dangerous. The connections disappear after restarting Zimbra, but after some time they appear again.
Hi,
I also get that IP on my client's server. What I do now is apply this method: https://wiki.zimbra.com/wiki/Blocking_Memcached_Attack
Post Reply