Serious problem exploits "brute force attack"

[7224jobe]

Installed patch 8 but no luck.

[jorgedlcruz]

Waht do you see on mailbox.log or in auth.log?
Search the next:

Code: Select all

cat /var/log/zimbra.log | grep sasl_method

[7224jobe]

Hello Jorge, thanks for your answer. A few hours ago I figured out what was the problem: the compromised user has 2 accounts on our server, on different domains; probably both accounts where hacked (they had the same password...), but I was closing and investigating only one of them. The domain part was missing in zimbra.log lines (I saw only lots of logins for user.name, not user.name@domain1 or user.name@domain2), but I forgot that we have a default domain that does not require the domain part in the username to login.
Changing the password on the secondary account blocked the spamming.

Only a note, since I investingated a lot because of this puzzling problem: the lines regarding admin interface and port 7071 are normal! This post from Quanah explains it well: viewtopic.php?p=266783#p266783

Port 7071 is the port used by AUTH requests via SOAP. So when user X connects to port 465/587 to send email via Postfix, and they AUTH to do so, that generates a SOAP request TO port 7071 on their behalf to auth them. Trying to block port 7071 will only make it so NO ONE can send email via 465/587. Since the SOAP request is generated on the MTA that is why you see your SERVER IP.

But I did not find any documentation about this flow...only a few topics on this forum with scared people wondering why hackers got access to their web admin interface, that is blocked from the internet by firewall...like I was. Hope re-posting this explanation will help!