Today I found this thread just pursuing this situation and as far as I was keeping my eye on this.
I have been atacked by the end of March. I found this situation, by early April during a casual maintence on the server. On this date, I haven't got any logs (due log-roll) but on these last days my server has been touched again. So I could fetch for more information and, when I has got almost all the info, I found this forum. I read all messages, and I thought I could try to help.
My case is a Zimbra behind a relay, so first I step I made is to block all connections to/from internet throught my firewall at least as soon as I had made all investigation during these days
I found more IP addresses, but I think these ones are not interesting as far as it can vary from today to tomorrow. ISP's has been notified...but this is not the first time I do notifications, so I have not any expectations to be replied at all.
My found IP's
61.177.26.58 - China
159.69.81.117 - Alemania This is the <<account's creator>>
45.112.125.139 - Jakarta
185.234.217.185 - Trying to authenticate
185.234.218.228 - Trying to authenticate
...and calling-back home each 15 minutes:
185.106.120.123
185.106.120.124
185.99.133.75
185.244.150.154
It was funny to see that, after blocking these ones, begin to call each minute
Fortunately, it don't seems to go further, but I will keep an eye on my system.
an interesting point that I didn't read here...All connections has been identified coming from a Macintosh; Intel Mac OS X 10_8_2
Now, to reply some posts:
Maxxer. Thank you for your guide. I needed to follow the lines as far as my zimbra install differsa liitle bitmaxxer wrote:I wrote some guidelines on the behaviour of the attack and how to clean zmcat....
Not up to now...but on my (main) server I found connections each hour to ssh coming from the above mentioned IP since the first attack, so I guess it's trying to do somaxxer wrote:Has anyone with recurring infections checked if the attacker uploaded a key to /opt/zimbra/.ssh/authorized_keys? Or if there are remote ssh logins for the zimbra user?
JDunphy - If still interested, I have got all data I found.JDunphy wrote:I am working on a few tools to help with some proactive detection based on log analysis and came across greynoise today which can provide some information about the reputation of connecting ip's...
Now...time for my feared update to 8.8