Serious problem exploits "brute force attack"
-
- Outstanding Member
- Posts: 284
- Joined: Sat Sep 13, 2014 1:55 am
- ZCS/ZD Version: 8.8.15_FOSS Patch38
Re: Serious problem exploits "brute force attack"
Installed patch 8 but no luck.
- jorgedlcruz
- Zimbra Alumni
- Posts: 2782
- Joined: Thu May 22, 2014 4:47 pm
Re: Serious problem exploits "brute force attack"
Waht do you see on mailbox.log or in auth.log?
Search the next:
Search the next:
Code: Select all
cat /var/log/zimbra.log | grep sasl_method
-
- Outstanding Member
- Posts: 284
- Joined: Sat Sep 13, 2014 1:55 am
- ZCS/ZD Version: 8.8.15_FOSS Patch38
Re: Serious problem exploits "brute force attack"
Hello Jorge, thanks for your answer. A few hours ago I figured out what was the problem: the compromised user has 2 accounts on our server, on different domains; probably both accounts where hacked (they had the same password...), but I was closing and investigating only one of them. The domain part was missing in zimbra.log lines (I saw only lots of logins for user.name, not user.name@domain1 or user.name@domain2), but I forgot that we have a default domain that does not require the domain part in the username to login.
Changing the password on the secondary account blocked the spamming.
Only a note, since I investingated a lot because of this puzzling problem: the lines regarding admin interface and port 7071 are normal! This post from Quanah explains it well: viewtopic.php?p=266783#p266783
Changing the password on the secondary account blocked the spamming.
Only a note, since I investingated a lot because of this puzzling problem: the lines regarding admin interface and port 7071 are normal! This post from Quanah explains it well: viewtopic.php?p=266783#p266783
But I did not find any documentation about this flow...only a few topics on this forum with scared people wondering why hackers got access to their web admin interface, that is blocked from the internet by firewall...like I was. Hope re-posting this explanation will help!Port 7071 is the port used by AUTH requests via SOAP. So when user X connects to port 465/587 to send email via Postfix, and they AUTH to do so, that generates a SOAP request TO port 7071 on their behalf to auth them. Trying to block port 7071 will only make it so NO ONE can send email via 465/587. Since the SOAP request is generated on the MTA that is why you see your SERVER IP.