Results 1 to 5 of 5

Thread: Help - trying to slow down hackers...

  1. #1
    Join Date
    Dec 2006
    Posts
    184
    Rep Power
    9

    Unhappy Help - trying to slow down hackers...

    He've been hit pretty hard with spear-phishing and many many users are falling. Accounts are getting compromised daily at the rate of 10+ a day. Not much we can do here, other than try to slow down the offenders. We hope to block their IPs at the firewall level.

    Worse, we had to disable X-Originating-IP due to the bug that would flag legitimate user to user (if they are home) as spam. But not sure I'm getting the right data from the logs.

    Looking at the audit logs, for a compromised account for example I see the following as their last authenticated session:

    2012-07-04 09:55:40,405 INFO [btpool0-4540://localhost/service/soap/AuthRequest] [name=xxx@xxx.com;ip=69.nn.nn.nn;ua=zclient/7.1.4_GA_2568;] security - cmd=Auth; account=xxx@xxx.com; protocol=soap;

    The IP is a local comcast address - to me, they are looking at their email.

    However, an hour later, I see this:

    2012-07-04 10:54:09,103 INFO [btpool0-4595://localhost/service/soap/SaveDraftRequest] [name=xxx@xxx.com;mid=18786;ip=41.nn.nn.nn;ua=zclie nt/7.1.4_GA_2568;] mailop - Adding Message: id=20814, Message-ID=<1617417021.577708.1341413649088.JavaMail.root@ xxx.com>, parentId=-1, folderId=6, folderName=Drafts.
    2012-07-04 10:54:12,795 INFO [btpool0-4595://localhost/service/soap/SaveDraftRequest] [name=xxx@xxx.com;mid=18786;ip=41.nn.nn.nn;ua=zclie nt/7.1.4_GA_2568;] mailop - Adding Message: id=20815, Message-ID=<631409267.577710.1341413652789.JavaMail.root@x xx.com>, parentId=-1, folderId=6, folderName=Drafts.

    The 41.nn.nn.nn is an address in Africa.

    On access.log.<date> I see:

    69.nn.nn.nn - - [04/Jul/2012:13:55:46 +0000] "GET /home/xxx@xxx.com/Contacts?fmt=cf&t=2&all HTTP/1.1" 200 11723 "http://xxx.com/zimbra/?client=preferred" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; 360SE)"
    41.nn.nn.nn - - [04/Jul/2012:14:36:52 +0000] "GET /home/xxx@xxx.com/Contacts?fmt=cf&t=2&all HTTP/1.1" 200 11723 "http://xxx.com/zimbra/?client=preferred" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; Avant Browser; Avant Browser; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Crazy Browser 3.1.0)"

    Further, we blocked 41.0.0.0/8 in iptables, but the spam still happens.

    So, if they are directly connecting from Africa, how come there is no conneciton information on audit? And why the firewall doesn't work? - I did put a case with RedHat and Zimbra on this.

    Cause, if the kids computer is compromized, why would the africa IP address show in the logs?

    TIA.

  2. #2
    Join Date
    Apr 2008
    Location
    New Paltz, NY
    Posts
    336
    Rep Power
    7

    Default

    The kids computer is compromised, which is how the phishers in Africa got the login credentials (keyloggers possibly).

    As for the IP - make sure you don't have an 'allow' rule that is bypassing your 'block' ip tables rule. If you're not sure, use the same rule that you have to block for an IP that you have the ability to connect from and see if you can connect to ports 25 (SMTP), 80/443 (HTTP/HTTPS). Based on the access.log they're connecting via the webmail. Are you only blocking port 25 for them?
    ---
    Paul Chauvet
    State University of New York at New Paltz

  3. #3
    Join Date
    Dec 2006
    Posts
    184
    Rep Power
    9

    Default

    I'm not questioning how they got their password - keyloggers or spear phishing.

    My issue is that the new outgoing spam messages being injected into the system. Zimbra is logging these with an IP in Africa, however the firewall is blocking all the class A for that IP. Relevant entries from iptables:

    :afrinic - [0:0]
    ...
    -A INPUT -j afrinic
    ...
    -A afrinic -s 41.0.0.0/8 -j DROP
    ...

    The issue is that the access.log does not contain any entries from 41.0.0.0.

    Again, the issue is not incoming SPAM - is outgoing SPAM by compromised accounts. But how come zimbra logs an IP that's blocked at the FW level?

  4. #4
    Join Date
    Apr 2008
    Location
    New Paltz, NY
    Posts
    336
    Rep Power
    7

    Default

    You said that access log does not contain any entries from 41.0.0.0 but in the snippet of access.log you showed the following:

    41.nn.nn.nn - - [04/Jul/2012:14:36:52 +0000] "GET /home/xxx@xxx.com/Contacts?fmt=cf&t=2&all HTTP/1.1" 200 11723 "http://xxx.com/zimbra/?client=preferred" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; Avant Browser; Avant Browser; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Crazy Browser 3.1.0)"
    So Zimbra is logging it. That means it is connecting which means your firewall is not blocking it. I still think that it would be best to check the firewall rules first (by adding a known IP with the same rule but for a different IP that you can test and see if you can then still connect via 80/443/25).

    Also - you did mention 'if the kids computer is compromized, why would the africa IP address show in the logs?'. That is why I responded the way I did. They compromised the computer to obtain the password but are then using their own IPs overseas to actually send the mail.
    ---
    Paul Chauvet
    State University of New York at New Paltz

  5. #5
    Join Date
    Dec 2006
    Posts
    184
    Rep Power
    9

    Default

    Quote Originally Posted by chauvetp View Post
    You said that access log does not contain any entries from 41.0.0.0 but in the snippet of access.log you showed the following:



    So Zimbra is logging it. That means it is connecting which means your firewall is not blocking it. I still think that it would be best to check the firewall rules first (by adding a known IP with the same rule but for a different IP that you can test and see if you can then still connect via 80/443/25).

    Also - you did mention 'if the kids computer is compromized, why would the africa IP address show in the logs?'. That is why I responded the way I did. They compromised the computer to obtain the password but are then using their own IPs overseas to actually send the mail.
    We've tested the firewall rules - it's blocking as it should... Granted, not from Africa, but by adding an actual IP... It's like they are faking those IP addresses?

Similar Threads

  1. Replies: 0
    Last Post: 11-24-2010, 01:46 AM
  2. Zcs Slow
    By rent in forum Zimbra Connector for Outlook
    Replies: 0
    Last Post: 01-26-2009, 08:41 AM
  3. GUI very slow
    By danielperez in forum Users
    Replies: 11
    Last Post: 09-26-2007, 01:54 PM
  4. Slow
    By jurg in forum General Questions
    Replies: 6
    Last Post: 04-12-2007, 06:04 AM
  5. Network M2 slow/"slow to respond" issues
    By Sam Hunter in forum Installation
    Replies: 8
    Last Post: 12-29-2005, 11:26 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •