Serious problem exploits "brute force attack"

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
7224jobe
Advanced member
Advanced member
Posts: 85
Joined: Sat Sep 13, 2014 1:55 am
ZCS/ZD Version: 8.6.0_GA_1153.RHEL6_64

Re: Serious problem exploits "brute force attack"

Postby 7224jobe » Wed Apr 19, 2017 5:52 pm

Installed patch 8 but no luck.


User avatar
jorgedlcruz
Zimbra Employee
Zimbra Employee
Posts: 2399
Joined: Thu May 22, 2014 4:47 pm

Re: Serious problem exploits "brute force attack"

Postby jorgedlcruz » Thu Apr 20, 2017 1:12 am

Waht do you see on mailbox.log or in auth.log?
Search the next:

Code: Select all

cat /var/log/zimbra.log | grep sasl_method
Jorge de la Cruz https://jorgedelacruz.es
Product Manager, Zimbra/Synacor https://www.zimbra.com/
A Zetalliance Founder
7224jobe
Advanced member
Advanced member
Posts: 85
Joined: Sat Sep 13, 2014 1:55 am
ZCS/ZD Version: 8.6.0_GA_1153.RHEL6_64

Re: Serious problem exploits "brute force attack"

Postby 7224jobe » Thu Apr 20, 2017 6:58 am

Hello Jorge, thanks for your answer. A few hours ago I figured out what was the problem: the compromised user has 2 accounts on our server, on different domains; probably both accounts where hacked (they had the same password...), but I was closing and investigating only one of them. The domain part was missing in zimbra.log lines (I saw only lots of logins for user.name, not user.name@domain1 or user.name@domain2), but I forgot that we have a default domain that does not require the domain part in the username to login. :oops:
Changing the password on the secondary account blocked the spamming.

Only a note, since I investingated a lot because of this puzzling problem: the lines regarding admin interface and port 7071 are normal! This post from Quanah explains it well: viewtopic.php?p=266783#p266783
Port 7071 is the port used by AUTH requests via SOAP. So when user X connects to port 465/587 to send email via Postfix, and they AUTH to do so, that generates a SOAP request TO port 7071 on their behalf to auth them. Trying to block port 7071 will only make it so NO ONE can send email via 465/587. Since the SOAP request is generated on the MTA that is why you see your SERVER IP.


But I did not find any documentation about this flow...only a few topics on this forum with scared people wondering why hackers got access to their web admin interface, that is blocked from the internet by firewall...like I was. :? Hope re-posting this explanation will help!

Return to “Administrators”

Who is online

Users browsing this forum: pkagiantas and 18 guests