Serious problem exploits "brute force attack"

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
cisco72
Posts: 12
Joined: Sat Sep 13, 2014 2:53 am

Serious problem exploits "brute force attack"

Postby cisco72 » Mon May 30, 2016 8:01 am

Hello everyone, I have been the victim of an attack on my server, my server does not publish the 7071 port, the attack seems to originate from the same server, i changed the password but there are continuous attempts to login.
The server has been upgraded to the latest releases and patches.
I report under the log, please help me!!

/opt/zimbra/log/audit.log
2016-05-30 09:38:50,895 WARN [qtp509886383-1580:https://10.0.2.1:7071/service/admin/soap/] [name=f.onorato@eurotelag.com;ip=10.0.2.1;] security - cmd=Auth; account=f.onorato@eurotelag.com; protocol=soap; error=authentication failed for [f.onorato@eurotelag.com], invalid password;

/opt/zimbra/log/mailbox.log
2016-05-30 09:38:50,147 INFO [qtp509886383-1562:https://10.0.2.1:7071/service/admin/soap/] [name=f.onorato@eurotelag.com;ip=10.0.2.1;] SoapEngine - handler exception: authentication failed for [f.onorato@eurotelag.com], invalid password
2016-05-30 09:38:50,147 INFO [qtp509886383-1562:https://10.0.2.1:7071/service/admin/soap/] [name=f.onorato@eurotelag.com;ip=10.0.2.1;] soap - AuthRequest elapsed=0

/var/log/zimbra.log
May 30 09:56:18 mail saslauthd[7685]: zmpost: url='https://mail.eurotelag.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for [f.onorato@eurotelag.com]</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>qtp509886383-1765:https://10.0.2.1:7071/service/admin/soap/:1464594978133:a61ce3380f5134a9</Trace></Error></soap:Detail></soap:Fault></soap:Body></soap:Envelope>', hti->error=''
May 30 09:56:18 mail saslauthd[7685]: auth_zimbra: f.onorato@eurotelag.com auth failed: authentication failed for [f.onorato@eurotelag.com]
May 30 09:56:18 mail saslauthd[7685]: do_auth : auth failure: [user=f.onorato@eurotelag.com] [service=smtp] [realm=eurotelag.com] [mech=zimbra] [reason=Unknown]

/var/log/auth.log
May 30 09:56:18 mail saslauthd[7685]: zmpost: url='https://mail.eurotelag.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for [f.onorato@eurotelag.com]</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>qtp509886383-1765:https://10.0.2.1:7071/service/admin/soap/:1464594978133:a61ce3380f5134a9</Trace></Error></soap:Detail></soap:Fault></soap:Body></soap:Envelope>', hti->error=''
May 30 09:56:18 mail saslauthd[7685]: auth_zimbra: f.onorato@eurotelag.com auth failed: authentication failed for [f.onorato@eurotelag.com]
May 30 09:56:18 mail saslauthd[7685]: do_auth : auth failure: [user=f.onorato@eurotelag.com] [service=smtp] [realm=eurotelag.com] [mech=zimbra] [reason=Unknown]


cisco72
Posts: 12
Joined: Sat Sep 13, 2014 2:53 am

Re: Serious problem exploits "brute force attack"

Postby cisco72 » Mon May 30, 2016 12:19 pm

Hello,
I noticed that if I put the original password the server starts sending spam can someone give me help.

Thanks!!
babyporch
Posts: 3
Joined: Thu Mar 22, 2007 6:36 am

Re: Serious problem exploits "brute force attack"

Postby babyporch » Wed Jun 01, 2016 8:07 am

I think your account was hacked (worm or password discovered via web interface).

Simply change the password and do not put the oldest.

The logs show the authentication attempt.

Ciao Francesco.
cisco72
Posts: 12
Joined: Sat Sep 13, 2014 2:53 am

Re: Serious problem exploits "brute force attack"

Postby cisco72 » Wed Jun 01, 2016 9:22 am

Hello babyporch,

the problem stems from the fact that 7071 has never been exposed to intrnet, from un'output netstat I see that the connections are generated by the same ip of the server
This makes me think of a script or other which stands running on the server

Ciao Claudio
sastia
Posts: 1
Joined: Fri Aug 05, 2016 2:57 pm

Re: Serious problem exploits "brute force attack"

Postby sastia » Fri Aug 05, 2016 3:25 pm

Hi Cisco72,

Did you ever find the cause of the problem? I'm having exactly the same situation. The attempts to connect seem to come from the server itself. I'm trying to find a bogus process that is launching the attemps without success.

Any comment will be appreciated.
v1rtu4l
Posts: 35
Joined: Tue Jun 28, 2016 3:04 pm

Re: Serious problem exploits "brute force attack"

Postby v1rtu4l » Sat Aug 06, 2016 6:38 pm

If the connection is from the own ip address that only means that it is a Login via Web Interface


Gesendet von meinem SM-N910F mit Tapatalk
ALP_88
Posts: 1
Joined: Thu Aug 25, 2016 1:48 am

Re: Serious problem exploits "brute force attack"

Postby ALP_88 » Thu Aug 25, 2016 1:56 am

Hello everyone, I find myself with the same problem and I could not solve it. Someone found the solution ..? Thank you very much
liverpoolfcfan
Outstanding Member
Outstanding Member
Posts: 906
Joined: Sat Sep 13, 2014 12:47 am

Re: Serious problem exploits "brute force attack"

Postby liverpoolfcfan » Thu Aug 25, 2016 2:38 pm

Someone is trying to send authenticated email from outside your server - using the submission port (465)

If you open /var/log/zimbra.log and search for one of the saslauthd lines you quoted you will find that the preceeding 3 lines should give you the information about the source of the connection.

For example

Aug 25 07:29:47 mail postfix/submission/smtpd[16296]: connect from mail-it0-f51.google.com[209.85.214.51]
Aug 25 07:29:48 mail postfix/submission/smtpd[16296]: Anonymous TLS connection established from mail-it0-f51.google.com[209.85.214.51]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Aug 25 07:29:48 mail saslauthd[4831]: zmauth: authenticating against elected url 'https://yourServer:7071/service/admin/soap/' ...
Aug 25 07:29:49 mail saslauthd[4831]: zmpost: url='https://yourServer:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><change token="223912"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken> removed </authToken><lifetime>86400000</lifetime><skin>harmony</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''

Here you can see the incoming connection was from google.com - and in my case this was a legitimate connection.

You should be able yo use the IP Address quoted to block the connection using the firewall.
User avatar
MartinsBonders
Posts: 22
Joined: Wed May 18, 2016 8:12 am

Re: Serious problem exploits "brute force attack"

Postby MartinsBonders » Fri Dec 30, 2016 1:32 pm

Yes, the same problem started 2 days ago! 7071 have access list from only 2 IP, but log is full of IP's accessing this port. Is this Zimbra exploit?!
7224jobe
Advanced member
Advanced member
Posts: 97
Joined: Sat Sep 13, 2014 1:55 am
ZCS/ZD Version: 8.6.0_GA_1153.RHEL6_64

Re: Serious problem exploits "brute force attack"

Postby 7224jobe » Wed Apr 19, 2017 5:20 pm

Same problem here...successful login attempts to admin web page (port 7071) from within the server.
In zimbra.log I see:

Code: Select all

Apr 19 19:06:33 mail saslauthd[8160]: auth_zimbra: user1 auth OK
Apr 19 19:07:03 mail saslauthd[8161]: zmauth: authenticating against elected url 'https://mail.domain.com:7071/service/admin/soap/' ...
Apr 19 19:07:03 mail saslauthd[8161]: zmpost: url='https://mail.domain.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><change token="20959"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_d1dd00e7eb79810aadaa9b5c4b3d97df8979b9e9_69643d33363a62343038346134362d333733362d346234342d626630642d34376562326531698755773b6578703d31333a31343932895423687393b76763d313a313b747970653d363a7a696d6272613b7469643d31303a9515669752444303b76657273696f6e3d31333a382e362e305f47415f313135333b</authToken><lifetime>172799998</lifetime><skin>serenity</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''


But user1 is not an administrator...

[zimbra@mail ~]$ zmcontrol -v
Release 8.6.0_GA_1153.RHEL6_64_20141215151155 RHEL6_64 FOSS edition, Patch 8.6.0_P7.

Return to “Administrators”

Who is online

Users browsing this forum: Raun and 9 guests