Account hacked and sent spam, but the source address was accessing /service/admin/soap/

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
davidkillingsworth
Outstanding Member
Outstanding Member
Posts: 251
Joined: Sat Sep 13, 2014 2:26 am
ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU14.64-Patch 24

Account hacked and sent spam, but the source address was accessing /service/admin/soap/

Post by davidkillingsworth »

We have had a couple of cases in the last few days of an account getting hacked and someone sending thousands of spam messages.

We assumed these accounts were phished.

After looking at the access logs, I found that the source attacker address had also showed up in the /opt/zimbra/log/access_log.2023-01-05 file.

The entries look like this.

102.37.140.35 - - [05/Jan/2023:14:06:20 +0000] "POST /service/admin/soap/ HTTP/1.1" 200 636 "-" "-" 10
102.37.140.35 - - [05/Jan/2023:14:06:23 +0000] "POST /service/admin/soap/ HTTP/1.1" 200 632 "-" "-" 9
102.37.140.35 - - [05/Jan/2023:14:06:23 +0000] "POST /service/admin/soap/ HTTP/1.1" 200 630 "-" "-" 12
102.37.140.35 - - [05/Jan/2023:14:06:23 +0000] "POST /service/admin/soap/ HTTP/1.1" 200 636 "-" "-" 7
102.37.140.35 - - [05/Jan/2023:14:06:23 +0000] "POST /service/admin/soap/ HTTP/1.1" 200 630 "-" "-" 7
102.37.140.35 - - [05/Jan/2023:14:06:23 +0000] "POST /service/admin/soap/ HTTP/1.1" 200 632 "-" "-" 7
102.37.140.35 - - [05/Jan/2023:14:08:55 +0000] "POST /service/admin/soap/ HTTP/1.1" 200 632 "-" "-" 10
102.37.140.35 - - [05/Jan/2023:14:08:58 +0000] "POST /service/admin/soap/ HTTP/1.1" 200 636 "-" "-" 13
102.37.140.35 - - [05/Jan/2023:14:08:58 +0000] "POST /service/admin/soap/ HTTP/1.1" 200 632 "-" "-" 17
102.37.140.35 - - [05/Jan/2023:14:10:27 +0000] "POST /service/admin/soap/ HTTP/1.1" 200 630 "-" "-" 10
102.37.140.35 - - [05/Jan/2023:14:10:30 +0000] "POST /service/admin/soap/ HTTP/1.1" 200 636 "-" "-" 13
102.37.140.35 - - [05/Jan/2023:14:10:30 +0000] "POST /service/admin/soap/ HTTP/1.1" 200 636 "-" "-" 11
102.37.140.35 - - [05/Jan/2023:14:14:47 +0000] "POST /service/admin/soap/ HTTP/1.1" 200 636 "-" "-" 11
102.37.140.35 - - [05/Jan/2023:14:14:50 +0000] "POST /service/admin/soap/ HTTP/1.1" 200 636 "-" "-" 10
102.37.140.35 - - [05/Jan/2023:14:14:50 +0000] "POST /service/admin/soap/ HTTP/1.1" 200 632 "-" "-" 8
102.37.140.35 - - [05/Jan/2023:14:16:28 +0000] "POST /service/admin/soap/ HTTP/1.1" 200 636 "-" "-" 9
102.37.140.35 - - [05/Jan/2023:14:16:31 +0000] "POST /service/admin/soap/ HTTP/1.1" 200 632 "-" "-" 14
102.37.140.35 - - [05/Jan/2023:14:16:31 +0000] "POST /service/admin/soap/ HTTP/1.1" 200 636 "-" "-" 8
102.37.140.35 - - [05/Jan/2023:14:55:01 +0000] "POST /service/admin/soap/ HTTP/1.1" 200 636 "-" "-" 20
102.37.140.35 - - [05/Jan/2023:14:55:04 +0000] "POST /service/admin/soap/ HTTP/1.1" 200 632 "-" "-" 9
102.37.140.35 - - [05/Jan/2023:14:55:04 +0000] "POST /service/admin/soap/ HTTP/1.1" 200 632 "-" "-" 9
102.37.140.35 - - [05/Jan/2023:14:55:04 +0000] "POST /service/admin/soap/ HTTP/1.1" 200 636 "-" "-" 9
102.37.140.35 - - [05/Jan/2023:14:55:04 +0000] "POST /service/admin/soap/ HTTP/1.1" 200 632 "-" "-" 10
102.37.140.35 - - [05/Jan/2023:14:55:27 +0000] "POST /service/admin/soap/ HTTP/1.1" 200 636 "-" "-" 9
102.37.140.35 - - [05/Jan/2023:14:55:30 +0000] "POST /service/admin/soap/ HTTP/1.1" 200 636 "-" "-" 13
102.37.140.35 - - [05/Jan/2023:14:55:30 +0000] "POST /service/admin/soap/ HTTP/1.1" 200 632 "-" "-" 13
102.37.140.35 - - [05/Jan/2023:14:55:30 +0000] "POST /service/admin/soap/ HTTP/1.1" 200 636 "-" "-" 7
102.37.140.35 - - [05/Jan/2023:14:55:30 +0000] "POST /service/admin/soap/ HTTP/1.1" 200 630 "-" "-" 6


Our Zimbra server has a NAT'd public IP address and sits in a DMZ behind our firewall. We don't allow access to Zimbra admin ports from the public Internet.

I'm wondering if anyone knows what's going on here.

I guess the attacker could have just been probing the server on any known URL or ports.

This is the 3rd case of an account getting hacked in a week, which is very rare. We've been running this Zimbra server for about 12 years and we have a phished hacked account about once a year if that.

I'm wondering if there isn't some sort of vulnerability that is being utilized.

OS: Ubuntu 18.04.6 LTS
Zimbra: Release 8.8.15.GA.3829.UBUNTU14.64 UBUNTU18_64 FOSS edition, Patch 8.8.15_P36.

I'm pretty sure that we are fully patched.

Any insight, suggestions, or feedback would be greatly appreciated.
Post Reply