Results 1 to 10 of 10

Thread: My Zimbra got exploited ?

  1. #1
    Join Date
    Oct 2010
    Location
    Serpong
    Posts
    11
    Rep Power
    4

    Default My Zimbra got exploited ?

    Hi All,
    some out there is trying to crack (IMHO) my zimbra, I already search the forum and got http://www.zimbra.com/forums/adminis...threquest.html

    but it I can't any solution in there
    I already track the log, but only the zimbra IP address (my own machine), and add to my confuse is, I'm not open my zimbra administration port to the public.

    and here's my log

    Code:
    AUDIT.LOG
    2012-09-12 07:38:09,642 WARN  [btpool0-396://ns1-mailserver.kantor.co.id:7071/service/admin/soap/] [name=user@kantor.co.id;ip=192.168.101.99;] security - cmd=Auth;
    account=user@kantor.co.id; protocol=soap; error=authentication failed for user@kantor.co.id, invalid password;
    2012-09-12 07:38:10,694 WARN  [btpool0-396://ns1-mailserver.kantor.co.id:7071/service/admin/soap/] [name=user@kantor.co.id;ip=192.168.101.99;] security - cmd=Auth; account=user@kantor.co.id; protocol=soap; error=authentication failed for user@kantor.co.id, invalid password;
    2012-09-12 07:38:11,685 WARN  [btpool0-396://ns1-mailserver.kantor.co.id:7071/service/admin/soap/] [name=user@kantor.co.id;ip=192.168.101.99;] security - cmd=Auth; account=user@kantor.co.id; protocol=soap; error=authentication failed for user@kantor.co.id, invalid password;
    Code:
    MAILBOX.LOG
    [btpool0-396://ns1-mailserver.kantor.co.id:7071/service/admin/soap/] [ip=192.168.101.99;] soap - AuthRequest
    2012-09-12 07:38:10,694 INFO  [btpool0-396://ns1-mailserver.kantor.co.id:7071/service/admin/soap/] [name=user@kantor.co.id;ip=192.168.101.99;] SoapEngine - handler exception: authentication failed for user@kantor.co.id, invalid password
    2012-09-12 07:38:10,696 WARN  [btpool0-396] [] log - SSL renegotiate denied: java.nio.channels.SocketChannel[connected local=/192.168.101.99:7071 remote=/192.168.101.99:54921]
    2012-09-12 07:38:11,537 INFO  [btpool0-396://ns1-mailserver.kantor.co.id:7071/service/admin/soap/] [ip=192.168.101.99;] soap - AuthRequest
    2012-09-12 07:38:11,686 INFO  [btpool0-396://ns1-mailserver.kantor.co.id:7071/service/admin/soap/] [name=user@kantor.co.id;ip=192.168.101.99;] SoapEngine - handler exception: authentication failed for user@kantor.co.id, invalid password
    2012-09-12 07:38:11,688 WARN  [btpool0-396] [] log - SSL renegotiate denied: java.nio.channels.SocketChannel[connected local=/192.168.101.99:7071 remote=/192.168.101.99
    Code:
    Jetty log access_log.2012-09-12
    192.168.101.99 -  -  [12/Sep/2012:07:07:38 +0000] "POST /service/admin/soap/ HTTP/1.1" 500 3868 "-" "-"

    My question is

    1.Is there a way for me to figure the attacker IP address
    2.What kind of kind of crack the hacker trying in my zimbra
    3. If I upgrade my zimbra would this problem disappear

    that's all from me thank you very much for you answer

  2. #2
    Join Date
    Apr 2012
    Posts
    43
    Rep Power
    3

    Default

    1. On the first look it seems that his ip is: ip=192.168.101.99;
    2. Also the kind of attack is bruteforce or dictionary attack by the way it looks.
    3. No

    Don't worry, we have millions of attacks like this on our servers and we are just fine, zimbra will automagically block the account to prevent the password being bruteforced and our engineers just filter our the IP addresses in iptables once in a while.

  3. #3
    Join Date
    Oct 2010
    Location
    Serpong
    Posts
    11
    Rep Power
    4

    Default

    hi thank for your reply,
    the ip is my own zimbra machine, that's why I cannot figure out what is the actual attacker ip address, actually this kind of attacking is annoying, user often complaining about the account being lock.

    Can you share with us how is your engineer figure it out to find out the attacker IP address when this kind of attack occurs in your machine, or the method your engineer using

    thank you very much for your answer

  4. #4
    Join Date
    Apr 2012
    Posts
    43
    Rep Power
    3

    Default

    I have asked them and here is the their answer:

    You can get the real IP address from audit log:

    2012-09-13 02:47:00,396 WARN [Pop3Server-39] [ip=116.255.247.226;] security - cmd=Auth; account=admin@mydomain.it; protocol=pop3; error=authentication failed for [root], account lockout;
    I have no idea why your mailbox server logs the login commands from the local IP address. Are you sure your server box is secure from other intrusions, like ssh?

  5. #5
    Join Date
    Nov 2010
    Location
    Popayán Cauca
    Posts
    16
    Rep Power
    4

    Default

    Quote Originally Posted by Paul Csiki View Post
    zimbra will automagically block the account to prevent the password being bruteforced
    Is that true? 'cause I'm looking for something like that. By now.... I did the following:

    1: Lock the user account after 3 bad logon tries
    2: Look in the audit.log for the remote ip address and lock (manually) that IP address through iptables

    But I want too find a way to "automagically" lock these Ip addresses.

    Thanks
    Victor Zapata
    University of Cauca
    Popayán - Colombia

  6. #6
    Join Date
    Jun 2011
    Location
    Caracas Venezuela
    Posts
    476
    Rep Power
    4

    Default

    Quote Originally Posted by vizapata View Post
    Is that true? 'cause I'm looking for something like that. By now.... I did the following:

    1: Lock the user account after 3 bad logon tries
    2: Look in the audit.log for the remote ip address and lock (manually) that IP address through iptables

    But I want too find a way to "automagically" lock these Ip addresses.

    Thanks
    Hello Victor, there's no "automagically lock". Paul excuse me if sounds rude

    Following the basics, i mean, using https, strong passwords and educating users about security eg phishing, you could be "safe".

    Regarding block manually through iptables, you have to know yet... it's a never ending work.

    Also, you surely know about RBL's.

    ccelis
    Last edited by ccelis5215; 10-19-2012 at 04:06 PM. Reason: english... but i try!

  7. #7
    Join Date
    Nov 2008
    Location
    Grand Rapids, MI
    Posts
    123
    Rep Power
    6

    Default

    Quote Originally Posted by ccelis5215 View Post
    Hello Victor, there's no "automagically lock".
    That's not quite true. There's nothing provided by Zimbra, but there are third-party tools that'll do it. You probably want to look into something like fail2ban or denyhosts. I know you can create user-defined rules in fail2ban for what logfiles to read and what patterns to match in them to determine an IP to block. You can also configure how to do the blocking (add to /etc/hosts.deny, block the IP in iptables, run some arbitrary script that does something else you want, etc).

    Trying to explain how to use those tools is probably beyond the scope here... they have their own communities where questions can be asked.

  8. #8
    Join Date
    Apr 2012
    Posts
    43
    Rep Power
    3

    Default

    Hello,

    Well on my zimbra installation if a user tries too many passwords over an account, that account gets lockout. Correct me if I'm wrong.

  9. #9
    Join Date
    Nov 2008
    Location
    Grand Rapids, MI
    Posts
    123
    Rep Power
    6

    Default

    Quote Originally Posted by Paul Csiki View Post
    Well on my zimbra installation if a user tries too many passwords over an account, that account gets lockout. Correct me if I'm wrong.
    And that's exactly why he has an issue (from what I'm understanding of his complaint here so far). His real users are getting locked out because someone is trying to brute-force their accounts. So he needs to block the IP addresses of the brute force attack so his real users can log in.

  10. #10
    Join Date
    Jun 2011
    Location
    Caracas Venezuela
    Posts
    476
    Rep Power
    4

    Default

    Quote Originally Posted by justdave View Post
    And that's exactly why he has an issue (from what I'm understanding of his complaint here so far). His real users are getting locked out because someone is trying to brute-force their accounts. So he needs to block the IP addresses of the brute force attack so his real users can log in.

    Justdave, thanks for yours clarifycations!.

    ccelis

Similar Threads

  1. Is my server being exploited?
    By azeem in forum Administrators
    Replies: 5
    Last Post: 04-24-2008, 12:07 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •