Results 1 to 10 of 18

Thread: Identify compromised accounts

Hybrid View

  1. #1
    Join Date
    Sep 2007
    Location
    Aoteroa
    Posts
    128
    Rep Power
    8

    Default Identify compromised accounts

    Hi,

    We've had a customer who's zimbra server has been sending out spam. We eventually found it was an account that had its password guessed/compromised and were able to fix it by changing the password.

    However, finding the account was trickier than I would've expected. It was sending via authenticated smtp, but using a different FROM address.

    Is there any easy way to identify which authenticated account is used to send a particular email?

  2. #2
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,285
    Rep Power
    10

    Default

    The account sending an email is logged in /var/log/zimbra.log:

    For example, on ZCS8.0.4:
    Code:
    Jun 24 11:58:06 edge01-zcs postfix/smtps/smtpd[30581]: 72E91EB2: client=FQDN[IP], sasl_method=PLAIN, sasl_username=user@domain
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  3. #3
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,285
    Rep Power
    10

    Default

    There some additional information logged when persistent authenticated connections are used as well, but I don't have that in front of me atm.
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  4. #4
    Join Date
    Dec 2005
    Posts
    31
    Rep Power
    9

    Default

    I'm giving this script i wrote this am a try. The system needs to be able to protect itself from obvious abuse. More than 5 authenticated sessions in a minute is likely evidence of abuse. So once identified we lock the account. Since they most likely fell for a phishing mail and should know better I'm not real concerned about sending them notice. they can call me when they can't get into their account. No, I'm not bitter or anything.

    UPDATE: I added a pipe through sed to remove multiple spaces from the log entries as it was throwing off the awk column numbers, as well as only modifying active accounts.



    #!/bin/bash
    # checks log file and gets a count of authentications sent per minute, per user
    # and if the count exceeds the maxmails value the user's account is locked.

    logfile="/var/log/zimbra.log"
    maxmails="10"
    mydomain="example.com"
    support="techsupport@$mydomain"
    accounts="/tmp/active_accounts"

    su zimbra -c "/opt/zimbra/bin/zmaccts" | grep "@" | grep active | awk '{print $1}' > $accounts

    zgrep -i "auth ok" $logfile | sed 's/ / /g' | awk -F"[ :]" '{print $3":"$4,$11;}' | uniq -c | sort -n | \
    while read line
    do
    count=`echo ${line} | cut -d' ' -f 1`
    userid=`echo ${line} | cut -d' ' -f 3`
    timestamp=`echo ${line} | cut -d' ' -f 2`
    active=`grep "$userid@$mydomain" $accounts`

    if [ "$count" -gt "$maxmails" ] && [ "$active" == "$userid@$mydomain" ]; then
    echo "Maximum email rate exceeded, $userid@$mydomain will be locked"
    su zimbra -c "/opt/zimbra/bin/zmprov ma $userid@$mydomain zimbraAccountStatus locked"
    subject="$userid account locked due to excessive connections"
    # Email text/message
    message="/tmp/emailmessage.txt"
    echo "$userid account has been locked as there were $count connections made at"> $message
    echo "$timestamp. Please have the user change their password, and check for phishing" >>$message
    echo "emails if possible." >>$message
    # send an email using /bin/mail
    /usr/bin/mail -s "$subject" "$support" < $message
    rm -f $message

    #update list of active accounts
    su zimbra -c "/opt/zimbra/bin/zmaccts" | grep "@" | grep active | awk '{print $1}' > $accounts
    fi
    done

    rm -f $accounts
    Last edited by pyperdown; 07-10-2013 at 11:41 AM. Reason: Updated to check only active accounts, trim repeated spaces from log entries prior to parsing

  5. #5
    Join Date
    Sep 2007
    Location
    Aoteroa
    Posts
    128
    Rep Power
    8

    Default

    Thanks guys, that helps a lot. That script looks especially useful.

    Cheers, Al

  6. #6
    Join Date
    Dec 2005
    Posts
    31
    Rep Power
    9

    Default

    I modded the script to only lock active accounts. runs a bit faster. Otherwise there tend to be a lot of hits and redundant notification emails, and the zmprov ma command is pretty slooooooow.

Similar Threads

  1. compromised accounts issue
    By padraig in forum Administrators
    Replies: 4
    Last Post: 08-06-2013, 05:59 PM
  2. Accounts compromised - changed forwarding
    By blueflametuna in forum Administrators
    Replies: 10
    Last Post: 02-08-2011, 01:21 PM
  3. Identify Which ZDB for Each User?
    By Chewie71 in forum Zimbra Connector for BlackBerry
    Replies: 2
    Last Post: 05-04-2009, 12:38 PM
  4. Help with compromised accounts
    By Userx in forum Zimbra in Education
    Replies: 10
    Last Post: 05-03-2009, 12:11 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •