Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Exploits/vulnerabilities

  1. #1
    Join Date
    Dec 2007
    Posts
    50
    Rep Power
    7

    Default Exploits/vulnerabilities

    I haven't spent a lot time (yet) looking into this, but I wanted to ask the Zimbra community if anyone else have seen this type of activity with their Zimbra hosts.

    I am running a fairly new install of 4.0.5 and some of my users are getting their accounts hacked/changed and are sending large amount of spam. I can find the accounts that have be compromised. The users signature is turned on saying:

    "Attn: Winner

    Your e-mail address attached to the Batch N0:P2/0056/2008 with Serial
    number: 06/1055 drew,12-04-08 [5] [11] [13] [17] [14] [48] [25],
    which subsequently won you a prize in the category B. You have
    therefore been approved to claim a total sum of �1,500,000.00 (One
    Million ,Five Hundred Thousand Great British Pounds) in cash credited
    to file Ref N0: KPL/09-002/JA"

    Then under the Primary Account Settings the users' info has been changed. The from says "Mrs Rita Jones" and the reply to field is change to "mrsriajones208@yahoo.co.uk".


    The kicker is that I'm still in the middle of converting our users from our old mail system to Zimbra.

    Has anybody else noticed this kind of activity? Any thoughts on how the info is getting changed inside of Zimbra?

  2. #2
    Join Date
    Mar 2006
    Location
    Beaucaire, France
    Posts
    2,322
    Rep Power
    13

    Default

    Quote Originally Posted by drhughes View Post
    I am running a fairly new install of 4.0.5
    That's not "fairly new". Or maybe you meant 5.0.4 ?

    Quote Originally Posted by drhughes View Post
    some of my users are getting their accounts hacked/changed
    Do you know how it got changed ? What does mailbox.log say ?

  3. #3
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    You could also check
    Code:
    /opt/zimbra/log/audit.log
    look for entries like this
    Code:
    [ua=zclient/5.0.4_GA_2101.RHEL5;oip=XXX.XXX.XXX.XXX;] security - cmd=Auth; account=uxbod@xxxxxxx.xxxxx;
    to see where the potential hackers are coming from.

    If a account has been compromised perhaps a script kiddie is attempting a brute force attack on the login page ? Do you allow web connections from any IP ? Are you using complex passwords ? What ports are open on your firewall ?
    Last edited by uxbod; 04-15-2008 at 08:53 AM.

  4. #4
    Join Date
    Dec 2007
    Posts
    50
    Rep Power
    7

    Default

    We have strong passwords, I would be surprised if that was the problem. We also have a pretty tight firewall to the outside world, plus I have a locale firewall on the server.

    In the audit log, it looks like the protocol used was SOAP.

  5. #5
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by drhughes View Post
    I am running a fairly new install of 4.0.5 and some of my users are getting their accounts hacked/changed and are sending large amount of spam.
    How are you determining this? Do you have any headers of this 'spam' that's been sent from your server?

    Quote Originally Posted by drhughes View Post
    I can find the accounts that have be compromised. The users signature is turned on saying:
    Where are you checking this information?

    What ports or access to the server is available from the outside world? If there's no access then if what you say is correct it must be coming from inside. Tell us a bit more about your server, who uses it and how many accounts on it?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  6. #6
    Join Date
    Aug 2007
    Posts
    103
    Rep Power
    8

    Default

    Most of the email accounts that I see get "hacked" to send spam were victoms of phishing attacks.
    I actually have been seeing this more often lately and the best thing to do is look for wierd IPs in the audit.log and to grep through the output of zmprob gaa -v to look for wierd reply to addresses and forwarding addresses

  7. #7
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Quote Originally Posted by drhughes View Post
    In the audit log, it looks like the protocol used was SOAP.
    could you post a extract please ?

  8. #8
    Join Date
    Dec 2007
    Posts
    50
    Rep Power
    7

    Default

    Quote Originally Posted by uxbod View Post
    You could also check
    Code:
    /opt/zimbra/log/audit.log
    look for entries like this
    Code:
    [ua=zclient/5.0.4_GA_2101.RHEL5;oip=XXX.XXX.XXX.XXX;] security - cmd=Auth; account=uxbod@xxxxxxx.xxxxx;
    to see where the potential hackers are coming from.

    If a account has been compromised perhaps a script kiddie is attempting a brute force attack on the login page ? Do you allow web connections from any IP ? Are you using complex passwords ? What ports are open on your firewall ?
    Quote Originally Posted by phoenix View Post
    How are you determining this? Do you have any headers of this 'spam' that's been sent from your server?

    Where are you checking this information?

    What ports or access to the server is available from the outside world? If there's no access then if what you say is correct it must be coming from inside. Tell us a bit more about your server, who uses it and how many accounts on it?
    It came to my attention when I got a notified from SpamCop and just a little while ago our Support Center took a call from one of our users saying their message got reject by roadrunner because we have been black listed.

    SpamCop had our zimbra server listed with the offending account ID. I'm in the middle of writing a script to walk our Zimbra server to check to see how many of these accounts are infected.

    As far as the firewall I only allow ports 22, 25,80,110,143,443,993,995,5222,5223 and 7071. This firewall is iptables running directly on my Zimbra box. The outside firewall is the same except I do not allow 7071.

  9. #9
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Would you be so kind as to qualify what version of ZCS you are running please
    Code:
    su - zimbra
    zmcontrol -v
    Are you able to post a extract ? plus anything from your logfiles aswell from strange IPs would be useful.

    Due to the nature of this thread, if running NE, it may be worth contacting support direct aswell.

  10. #10
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Have you run a rootkit scanner over your server ?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •