I had this problem too on my Zimbra. They successfully hacked one of my accounts and sent 250.000 spam emails in 1 day. It seems to be a zombie farm of computers that are attacking. I've got more than 1 million of SOAP requests in my server from more than a few 100's of different ips.
You can have some log info on my thread (that was ignored by everyone ). Help... my Zimbra is sending SPAM to the world!!!
It looks like there is a flaw in the Zimbra software and some hackers are taking advantage of it.
Can you confirm that the Zimbra system is 100% secure - without any security flaw that can be found?
On my case, the password was hacked on a keylogger that was installed in a computer that one of our users accessed outside the company...
I'm trying to put a light on an attack pattern by hackers and looking for a counter-measure to avoid it before it happens.
Welcome to the Home of OSSEC and write a custom rule that looks for sustained soap logins within a particular time frame as a possibility. You could even get it to fire a auto-response a block via IP tables; or perhaps less invasive would be to just lock that particular account. That way the user would need to contact you.
Last edited by uxbod; 03-17-2010 at 08:40 AM.
Have a look in /opt/zimbra/log/audit.log for one of the suspect IPs and see what the user agent for the SOAP request was. Look for ua=
We ship a script that may help you track down offending IP's as well as coordinated attacks against specific accounts. Details on how to turn it on are below
Bug 32586 – script to watch for auth failures
That is great Brian but in this instance the spammer had obtained a users password and therefore the soap calls would be valid. According to the RFE it only checks against authentication failuresCode:The script ships with 4 authentication failure checks. - IP/Account hash check which warns on 10 auth failures from an ip/account combo within a 60 second window. - Account check which warns on 15 auth failures from any ip within a 60 second window. Attempts to detect a distributed hijack based attack on a single account. - IP check which warns on 20 auth failures to any account within a 60 second windows. Attempts to detect a single host based attack across multiple accounts. - Total auth failure check which warns on 1000 auth failures from any ip to any account within 60 seconds. The recommended value on this is guestimated at 1% of active accounts for the MBS.
There are currently 1 users browsing this thread. (0 members and 1 guests)