Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: 10+ accounts hijacked

  1. #1
    Join Date
    Jan 2013
    Posts
    24
    Rep Power
    2

    Exclamation 10+ accounts hijacked

    Last night we had at least 10 accounts hijacked... mine being one of them. I am running 8.0.6 FOSS -- These accounts racked up close to 2 million outgoing messages in just a few hours. I know for a fact that I did not fall prey to phishing. Our server is not configured for open relay, you must authenticate. I am wondering if it was some sort of client side attack. I have my phone's email client configured to check Zimbra, and the only other system I have used to check it since Thursday has been my Debian machine at home. My password was 29 characters long, so I doubt it was guessed or bruteforced. I find it very odd that 10 accounts were hijacked in one night. The passwords weren't changed, as far as I can tell.

    I have reset all passwords on the mail server, and invalidated sessions.

    Are there any known security problems with 8.0.6? Any help would be greatly appreciated.

    Just noticed another weird thing. I have changed all passwords, and invalidated all sessions, but my phone is still getting mail without changing the password on it. In the admin console, I show several IMAP connections still currently connected.

  2. #2
    Join Date
    Jan 2013
    Posts
    24
    Rep Power
    2

    Default

    I have a bunch of these logs:

    Code:
    auth.log:Mar 30 06:43:40 mail saslauthd[2425]: zmauth: authenticating against elected url 'https://mydomain.com:7071/service/admin/soap/' ...
    auth.log:Mar 30 06:43:40 mail saslauthd[2425]: zmpost: url='https://mydomain.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for [ktinklepaugh]</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>qtp1917006373-75744:https://IPADDRESS:7071/service/admin/soap/:1396179820316:fdbc7c4b90798e8a</Trace></Error></soap:Detail></soap:Fault></soap:Body></soap:Envelope>', hti->error=''
    auth.log:Mar 30 06:43:49 mail saslauthd[2426]: zmauth: authenticating against elected url 'https://mydomain.com:7071/service/admin/soap/' ...
    auth.log:Mar 30 06:43:49 mail saslauthd[2426]: zmpost: url='https://mydomain.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><change token="70372"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_ba1f86af78102fc8059580b7c831ed6370c8d93a_69643d33363a63376661356264362d303262382d343239642d396539362d6532376632366137306139363b6578703d31333a313339363335323632393335343b76763d313a313b747970653d363a7a696d6272613b</authToken><lifetime>172799999</lifetime><skin>serenity</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''
    auth.log:Mar 30 06:44:40 mail saslauthd[2424]: zmauth: authenticating against elected url 'https://mydomain.com:7071/service/admin/soap/' ...
    auth.log:Mar 30 06:44:40 mail saslauthd[2424]: zmpost: url='https://mydomain.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for [adixon]</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>qtp1917006373-75750:https://IPADDRESS:7071/service/admin/soap/:1396179880248:fdbc7c4b90798e8a</Trace></Error></soap:Detail></soap:Fault></soap:Body></soap:Envelope>', hti->error=''
    auth.log:Mar 30 06:44:40 mail saslauthd[2427]: zmauth: authenticating against elected url 'https://mydomain.com:7071/service/admin/soap/' ...
    auth.log:Mar 30 06:44:40 mail saslauthd[2427]: zmpost: url='https://mydomain.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for [lmorris]</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>qtp1917006373-75752:https://IPADDRESS:7071/service/admin/soap/:1396179880378:fdbc7c4b90798e8a</Trace></Error></soap:Detail></soap:Fault></soap:Body></soap:Envelope>', hti->error=''
    What is the best way to audit incoming connections to the admin console? I am grepping the /var/log directory for 7071 --

  3. #3
    Join Date
    Jan 2013
    Posts
    24
    Rep Power
    2

    Default

    Another different account compromised today. This is after changing every user password yesterday, deleting all but one admin account, and blocking port 7071 at the firewall. Client computers show no sign of compromise. The user today was not one that was compromised yesterday, they were running a fully updated version of OSX. Our server isn't an open relay. The attacker was using SASL auth to send the messages.

    Is anybody out there? Are there any known security issues with 8.0.6_GA_5922 FOSS?

  4. #4
    Join Date
    Jan 2013
    Posts
    24
    Rep Power
    2

    Default

    5 more email accounts hijacked today. I guess it is time to move to Google Apps. This forum is worthless.

  5. #5
    Join Date
    Mar 2006
    Location
    Beaucaire, France
    Posts
    2,322
    Rep Power
    13

    Default

    There is no known security issue with 8.0.6.

    If you already know the user is using SASL authenticated SMTP session, then you know which user got hijacked (it seems you know which account was hijacked and it seems their passwords were not changed by the hijacker).

    So you should find out why/how they got hijacked and it might not be related to ZCS at all...
    The password are encrypted in ZCS' LDAP database, they were not "read" from the database.
    It means the hijacker (if any) got them another way (bruteforce, keylogger, network tapping, etc).

  6. #6
    Join Date
    Jan 2013
    Posts
    24
    Rep Power
    2

    Default

    Thanks for the reply Klug. I was beginning to think that I was the only one here.

    We have had 16 unique accounts compromised. I have forced a password change district wide [and actually reset all of the passwords with a script, and had each teacher log in and change their password to something they had never used before.]. One of the user accounts that was compromised was mine, so I know it wasn't phishing, and I have scanned every machine that I have used with several tools looking for rootkits or malware. My password was 29 characters mixed case with numbers and symbols as well, so I doubt it was bruteforce. I don't think it was a keylogger, because these users just use their own machines, and to have that many systems running both OSX and Windows infected at the same time seems far fetched [but not beyond possibility]. I suppose there could be a sniffer on the network somewhere, but in theory everything going to zimbra should be SSL. If they go to port 80, it redirects to 443, and the server rejects any auth that is not SSL. We aren't getting any cert errors... and the connection still shows that SSL is enabled, so I don't think anyone is using SSLStrip or similar tools, but obviously I am not aware of every method of attack available. Most of the attacking IPs appear to be out of either Russia or Ukraine. This has been going on since Monday, and I can't seem to do anything to stop it, short of blocking all external access to Zimbra at the firewall. Which kind of cripples its functionality. Anytime we have an account compromised, I change the password immediately, and invalidate all sessions. It is like a big game of whack a mole.

    Sorry for my gruff post earlier, but I am incredibly frustrated at the moment. Any suggestions would be greatly appreciated.

  7. #7
    Join Date
    Mar 2006
    Location
    Beaucaire, France
    Posts
    2,322
    Rep Power
    13

    Default

    The compromized account did not have their password changed by the attacker, did they?

  8. #8
    Join Date
    Jul 2013
    Location
    /dev/urandom
    Posts
    33
    Rep Power
    2

    Default

    Hi,

    I personally would suggest a full rootkit check and investigation on the email server in question. A rootkit would allow this kind of behaviour, meaning the problem could be deeper than Zimbra its self. Additionally, check for any odd open ports on the server etc.

    Also, Zimbra 8.0.7 was released recently, so may be worth upgrading (Just upgraded ours, no problems..) the change log did specify that it fixed two security issues, but did not say what they were, so could be related.

    Hope this helps :-).

  9. #9
    Join Date
    Jan 2013
    Posts
    24
    Rep Power
    2

    Default

    Klug - I don't believe the passwords were changed for the user accounts. You may be on to something with the bruteforce idea though. After grepping through the logs, my account was never actually used for SASL auth, but if I am not mistaken, you can send mail as any user as long as you can authenticate... right?

    JakeMS - Thanks for the reply. I will run a couple of rootkit checks. Once a week I have a script set to NMap the inside and outside of my network, and upload that info to an internal git server. I then use the built in diff tool to look for any changed ports. I haven't seen any new open ports on the server... I also do the same to look at running processes, user accounts, and members of the root group. So far no changes there. I will install chkrootkit to scan through it though, just in case. Thanks for the suggestion. I may also try the upgrade to 8.0.7 this weekend.

  10. #10
    Join Date
    Jan 2013
    Posts
    24
    Rep Power
    2

    Default

    After running the rootkit scan, I got this:

    Code:
    Checking `bindshell'...                                     INFECTED (PORTS:  465)
    Ran

    fuser -vn tcp 465

    And got:
    Code:
                         USER        PID ACCESS COMMAND
    465/tcp:             postfix   10970 F.... smtpd
                         root      15380 F.... master
    then ran:

    ps aux|grep 10970

    Code:
    postfix  10970  0.0  0.0 102148  6252 ?        S    09:38   0:00 smtpd -n 465 -t inet -u -o stress= -o content_filter=scan:[127.0.0.1]:10030 -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions= -o smtpd_data_restrictions= -o smtpd_helo_restrictions= -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o syslog_name=postfix/smtps -o milter_macro_daemon_name=ORIGINATING
    ps aux|grep 15380


    Code:
    root     15380  0.0  0.0  55344  1752 ?        Ss   Apr03   0:23 /opt/zimbra/postfix/libexec/master -w
    Both processes appear to be legit, but I am not completely sure of that first one. Any thoughts?
    Last edited by nitsew; 04-04-2014 at 07:52 AM.

Similar Threads

  1. Replies: 1
    Last Post: 11-19-2013, 05:17 AM
  2. Server Hijacked
    By Kent17 in forum Administrators
    Replies: 3
    Last Post: 01-20-2012, 12:48 PM
  3. Replies: 0
    Last Post: 12-30-2009, 07:41 PM
  4. [SOLVED] Forum Threads HiJacked
    By phether in forum Installation
    Replies: 2
    Last Post: 03-18-2009, 10:50 AM
  5. Replies: 2
    Last Post: 03-20-2006, 09:50 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •