Page 1 of 3 123 LastLast
Results 1 to 10 of 30

Thread: zimbra mail hacked

  1. #1
    Join Date
    May 2008
    Posts
    25
    Rep Power
    7

    Default zimbra mail hacked

    hello, i got tons of deffered emails from different domains.. someone was spamming via my mailserver or trying to spam... as a result my mailserver is blocked by several spamlists
    how can I check who was that and how my server was accessed?? was zimbra hacked or it was os? how can I stop it?

  2. #2
    Join Date
    Mar 2006
    Posts
    300
    Rep Power
    9

    Default

    If it was hacked it would probably have been due to a weak password, or
    you have it as an open relay. Do you notice any particular account that the
    email seems to be coming from? Look at the spam carefully, they may not have
    used your server at all.

  3. #3
    Join Date
    May 2008
    Posts
    25
    Rep Power
    7

    Default

    here's a part of logfile I have no idea of what are usbank-email.com and olympus.net and how they appeared here .. I tested my server .. looks it's not an open relay

    DC1E749C0815: from=<U_S_BankAlerts.6tqrd7p6h.fpyk@cs.usbank-email.com>, size=6194, nrcpt=1 (queue active)
    Dec 8 11:53:37 mail postfix/qmgr[5055]: D6C1049C0523: from=<alerts@cs.usbank-email.com>, size=5041, nrcpt=1 (queue active)
    Dec 8 11:53:37 mail postfix/qmgr[5055]: D6C1049C0523: to=<jccthrift@juno.com>, relay=none, delay=97104, delays=97104/0/0/0, dsn=4.0.0, status=deferred (delivery temporarily suspended: host mx.dca.untd.com[64.136.44.37] refused to talk to me: 550 Access denied...27f595502da9a1a1b935fd35b4546d543540ddb5c 121f46d456deddd40214521c45d5d...)
    Dec 8 11:53:37 mail postfix/qmgr[5055]: D792049C0520: from=<alerts@cs.usbank-email.com>, size=5056, nrcpt=1 (queue active)
    Dec 8 11:53:37 mail postfix/qmgr[5055]: 878CD49C0413: from=<alerts@cs.usbank-email.com>, size=5069, nrcpt=1 (queue active)

    DC1E749C0815: host mx.dca.untd.com[64.136.44.37] refused to talk to me: 550 Access denied...5089250c0c8d68689185f985583d9958ed357cdcc 91131ed28ed057cb9112811bca8a8...
    Dec 8 11:53:38 mail postfix/qmgr[5055]: B725449C028A: from=<alerts@cs.usbank-email.com>, size=5046, nrcpt=1 (queue active)
    Dec 8 11:53:38 mail postfix/qmgr[5055]: 1BF8349C0296: from=<alerts@cs.usbank-email.com>, size=5072, nrcpt=1 (queue active)
    Dec 8 11:53:38 mail postfix/qmgr[5055]: 11DDE49C054A: from=<alerts@cs.usbank-email.com>, size=5050, nrcpt=1 (queue active)
    Dec 8 11:53:38 mail postfix/qmgr[5055]: 068AA49C081E: from=<U_S_BankAlerts.6tqrd7p6h.fpyk@cs.usbank-email.com>, size=6176, nrcpt=1 (queue active)
    Dec 8 11:53:38 mail postfix/qmgr[5055]: 0EA4149C081B: from=<U_S_BankAlerts.6tqrd7p6h.fpyk@cs.usbank-email.com>, size=6224, nrcpt=1 (queue active)
    Dec 8 11:53:38 mail postfix/qmgr[5055]: 02FF849C029C: from=<U_S_BankAlerts.6tqrd7p6h.fpyk@cs.usbank-email.com>, size=6234, nrcpt=1 (queue active)

    B211049C0012: to=<greenhornet65613@olympus.net>, relay=mx1.olympus.net[65.117.224.91]:25, delay=134840, delays=134834/0.21/5.2/0.32, dsn=4.0.0, status=deferred (host mx1.olympus.net[65.117.224.91] said: 451 Sender verify failed (in reply to RCPT TO command))
    Dec 8 11:53:43 mail postfix/smtp[6575]: ACB1549C0015: to=<kennyziplock_@olympus.net>, relay=mx1.olympus.net[65.117.224.91]:25, delay=134746, delays=134740/0.13/5.2/0.55, dsn=4.0.0, status=deferred (host mx1.olympus.net[65.117.224.91] said: 451 Sender verify failed (in reply to RCPT TO command))
    Dec 8 11:53:43 mail postfix/smtp[6579]: 618E849C0010: to=<foxy555@olympus.net>, relay=mx1.olympus.net[65.117.224.91]:25, delay=134867, delays=134862/0.14/5.2/0.49, dsn=4.0.0, status=deferred (host mx1.olympus.net[65.117.224.91] said: 451 Sender verify failed (in reply to RCPT TO command))
    Dec 8 11:53:43 mail postfix/smtp[6605]: 27AC049C0013: to=<hodorovs@olympus.net>, relay=mx1.olympus.net[65.117.224.91]:25, delay=134811, delays=134805/0.21/5.2/0.27, dsn=4.0.0, status=deferred (host mx1.olympus.net[65.117.224.91] said: 451 Sender verify failed (in reply to RCPT TO command))
    Last edited by extremal; 12-08-2008 at 03:23 PM.

  4. #4
    Join Date
    Aug 2007
    Location
    Chicago Area, USA
    Posts
    189
    Rep Power
    8

    Default

    Hacked? It's got to be a software or OS problem, and not your setup? How did you draw that conclusion?

    Without knowing your network setup... are you behind a firewall? What ports do you have open to your server? Is your server shared with any other apps? Is your SSH secure? etc.....

    More of your logs than just 15 lines

    EDIT: OS type and version and Zimbra version? Sounds like something you might want to work with support on. They will probably want to either SSH to your machine and/or have you send them configuration files.
    Last edited by bradb21; 12-08-2008 at 07:52 PM.
    Release 6.0.2_GA_1912.UBUNTU8_64 UBUNTU8_64 NETWORK edition + Mobile Option
    Activesync with Moto Q9C, HTC Touch Pro, Palm Pro, & Palm Pre

  5. #5
    Join Date
    May 2008
    Posts
    25
    Rep Power
    7

    Default

    Saying hacked I mean that someone has access to mail server and somehow got ability to send emails using it.

    Starting Nmap 4.11 ( Nmap - Free Security Scanner For Network Exploration & Security Audits. ) at 2008-12-09 01:44 EST
    Interesting ports on localhost.localdomain (127.0.0.1):
    Not shown: 1662 closed ports
    PORT STATE SERVICE
    21/tcp open ftp
    22/tcp open ssh
    53/tcp open domain
    80/tcp open http
    110/tcp open pop3
    111/tcp open rpcbind
    143/tcp open imap
    199/tcp open smux
    443/tcp open https
    444/tcp open snpp
    465/tcp open smtps
    631/tcp open ipp
    815/tcp open unknown what's this??
    953/tcp open rndc
    993/tcp open imaps
    995/tcp open pop3s
    3306/tcp open mysql
    10000/tcp open snet-sensor-mgmt

    how can I check SSH security status??

    [zimbra@mail ~]$ zmcontrol -v


    Release 5.0.5_GA_2201.RHEL5_20080417012110 CentOS5 FOSS edition

    OS - CentOS release 5.2 (Final)


    sorry, attached file is very big, i replaced there my server and my ip address with myserver.com and my.ip.add.ress.
    Attached Files Attached Files

  6. #6
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    Check /var/log/secure and see which accounts have accessed your system. You can also check /opt/zimbra/log/audit.log to see what Zimbra accounts have been accessed.

    If you do feel your server has been compromised you should look at getting a rootkit discovery tool aswell eg. Rootkit.nl - Protect your machine

  7. #7
    Join Date
    May 2008
    Posts
    25
    Rep Power
    7

    Default

    thanks for reply, i checked audit and secure log files and i didn't find any problems ..
    now I am going to check server with rootkit discovery tool

  8. #8
    Join Date
    May 2008
    Posts
    25
    Rep Power
    7

    Default

    only some warnings were found

    [03:47:05] Performing group and account checks
    [03:47:05] Info: Starting test name 'group_accounts'
    [03:47:05] Checking for passwd file [ Found ]
    [03:47:05] Info: Found password file: /etc/passwd
    [03:47:05] Checking for root equivalent (UID 0) accounts [ None found ]
    [03:47:05] Info: Found shadow file: /etc/shadow
    [03:47:05] Checking for passwordless accounts [ Warning ]
    [03:47:05] Warning: Found passwordless account: zimbra
    [03:47:05] Info: Starting test name 'passwd_changes'
    [03:47:05] Checking for passwd file changes [ None found ]
    [03:47:05] Info: Starting test name 'group_changes'
    [03:47:05] Checking for group file changes [ None found ]
    [03:47:05] Checking root account shell history files [ OK ]
    [03:47:05]
    [03:47:05] Performing system configuration file checks
    [03:47:05] Info: Starting test name 'system_configs'
    [03:47:05] Checking for SSH configuration file [ Found ]
    [03:47:05] Info: Found SSH configuration file: /etc/ssh/sshd_config
    [03:47:05] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'no'.
    [03:47:05] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'.
    [03:47:05] Checking if SSH root access is allowed [ Warning ]
    [03:47:05] Warning: The SSH configuration option 'PermitRootLogin' has not been set.
    The default value may be 'yes', to allow root access.
    [03:47:05] Checking if SSH protocol v1 is allowed [ Not allowed ]
    [03:47:05] Checking for running syslog daemon [ Found ]
    [03:47:05] Checking for syslog configuration file [ Found ]
    [03:47:05] Info: Found syslog configuration file: /etc/syslog.conf
    [03:47:05] Checking if syslog remote logging is allowed [ Warning ]
    [03:47:05] Warning: Syslog configuration file allows remote logging: mail.* @myserver.com
    [03:47:05]
    [03:47:05] Performing filesystem checks
    [03:47:06] Info: Starting test name 'filesystem'
    [03:47:06] Info: SCAN_MODE_DEV set to 'THOROUGH'
    [03:47:06] Checking /dev for suspicious file types [ None found ]
    [03:47:06] Checking for hidden files and directories [ Warning ]
    [03:47:06] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
    [03:47:29]
    [03:47:29] Checking application versions...
    [03:47:29] Info: Starting test name 'apps'
    [03:47:30] Info: Application 'exim' not found.
    [03:47:30] Checking version of GnuPG [ OK ]
    [03:47:30] Info: Application 'gpg' version '1.4.5' found.
    [03:47:30] Checking version of Apache [ OK ]
    [03:47:30] Info: Application 'httpd' version '2.2.3' found.
    [03:47:30] Checking version of Bind DNS [ OK ]
    [03:47:30] Info: Application 'named' version '9.3.4' found.
    [03:47:30] Checking version of OpenSSL [ OK ]
    [03:47:30] Info: Application 'openssl' version '0.9.8b' found.
    [03:47:30] Checking version of PHP [ OK ]
    [03:47:30] Info: Application 'php' version '5.1.6' found.
    [03:47:30] Checking version of Procmail MTA [ OK ]
    [03:47:30] Info: Application 'procmail' version '3.22' found.
    [03:47:30] Checking version of ProFTPd [ OK ]
    [03:47:30] Info: Application 'proftpd' version '1.3.1' found.
    [03:47:30] Checking version of OpenSSH [ OK ]
    [03:47:30] Info: Application 'sshd' version '4.3p2' found.
    [03:47:30] Info: Applications checked: 8 out of 9
    [03:47:30]
    [03:47:30] System checks summary
    [03:47:30] =====================
    [03:47:30]
    [03:47:30] File properties checks...
    [03:47:30] Required commands check failed
    [03:47:30] Files checked: 131
    [03:47:30] Suspect files: 6
    [03:47:30]
    [03:47:30] Rootkit checks...
    [03:47:30] Rootkits checked : 114
    [03:47:30] Possible rootkits: 0
    [03:47:30]
    [03:47:30] Applications checks...
    [03:47:30] Applications checked: 8
    [03:47:31] Suspect applications: 0
    [03:47:31]
    [03:47:31] The system checks took: 1 minute and 9 seconds
    [03:47:31]
    [03:47:31] Info: End date is Tue Dec 9 03:47:31 EST 2008

  9. #9
    Join Date
    Mar 2007
    Posts
    27
    Rep Power
    8

    Default

    Before you go totally crazy, have you checked the header info of the returned e-mail to make sure the original sending server is your servers IP address?

    I have customers that constantly have thier domain names stolen by companies in Europe, using only thieir domain name with a unknown e-mail name for the sending & return address, but using thier own temporary mailing server. Then all the bounced back e-mail ends up on thier server and other servers Blacklist thier domain name instead of IP address.

  10. #10
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,374
    Rep Power
    11

    Default

    One other thing to check...

    The server itself may not be hacked, but if you allow your users to use any simple password they like, one or more spammers may just be using a valid mailbox account on your server using a guessed or cracked password.

    Zimbra usernames are email addresses; easy to find and half of the authentication requirements right there.

    We insist upon using "complex" passwords and forced password rotations.

    So, the "fix" might be as simple as just changing everyone's password, then generating an unblock request and see what happens.

    Hope that helps,
    Mark

    "Sometimes a pipe is just a pipe..."

Similar Threads

  1. Migration Assistance
    By dwill in forum Administrators
    Replies: 10
    Last Post: 12-02-2008, 08:20 AM
  2. [SOLVED] parts_decode_ext error
    By jsabater in forum Administrators
    Replies: 7
    Last Post: 10-13-2008, 08:24 AM
  3. Replies: 2
    Last Post: 02-12-2008, 11:55 AM
  4. [SOLVED] Upgraded to 5.0 OSS - Sendmail Problem
    By Chewie71 in forum Installation
    Replies: 11
    Last Post: 12-28-2007, 07:07 PM
  5. Replies: 22
    Last Post: 12-02-2007, 05:05 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •