I had this problem too on my Zimbra. They successfully hacked one of my accounts and sent 250.000 spam emails in 1 day. It seems to be a zombie farm of computers that are attacking. I've got more than 1 million of SOAP requests in my server from more than a few 100's of different ips.
You can have some log info on my thread (that was ignored by everyone ). Help... my Zimbra is sending SPAM to the world!!!
It looks like there is a flaw in the Zimbra software and some hackers are taking advantage of it.
Can you confirm that the Zimbra system is 100% secure - without any security flaw that can be found?
On my case, the password was hacked on a keylogger that was installed in a computer that one of our users accessed outside the company...
I'm trying to put a light on an attack pattern by hackers and looking for a counter-measure to avoid it before it happens.
Welcome to the Home of OSSEC and write a custom rule that looks for sustained soap logins within a particular time frame as a possibility. You could even get it to fire a auto-response a block via IP tables; or perhaps less invasive would be to just lock that particular account. That way the user would need to contact you.
Last edited by uxbod; 03-17-2010 at 07:40 AM.
Have a look in /opt/zimbra/log/audit.log for one of the suspect IPs and see what the user agent for the SOAP request was. Look for ua=
We ship a script that may help you track down offending IP's as well as coordinated attacks against specific accounts. Details on how to turn it on are below
Bug 32586 – script to watch for auth failures
That is great Brian but in this instance the spammer had obtained a users password and therefore the soap calls would be valid. According to the RFE it only checks against authentication failuresCode:The script ships with 4 authentication failure checks. - IP/Account hash check which warns on 10 auth failures from an ip/account combo within a 60 second window. - Account check which warns on 15 auth failures from any ip within a 60 second window. Attempts to detect a distributed hijack based attack on a single account. - IP check which warns on 20 auth failures to any account within a 60 second windows. Attempts to detect a single host based attack across multiple accounts. - Total auth failure check which warns on 1000 auth failures from any ip to any account within 60 seconds. The recommended value on this is guestimated at 1% of active accounts for the MBS.
Old thread, sorry for bringing it back to life. Same issue, Account for one domain getting locked out constantly, source is displayed as server IP address as it's a soap call rather than a client. Nothing in access.log corresponds with account name or time when compared to audit.log as there is no successful access.
We're getting this once or twice every day for the same domain and they're getting pissed. as I can't find a source IP we're limited for what we can do to mitigate. Since this thread is 4 years old, I hope this is resolved in v8 but I'm not seeing anything indicating it is.
2014-05-01 07:00:18,645 INFO [qtp34688703-864475:https://10.2.2.2:7071/service/admin/soap/] [firstname.lastname@example.org;ip=10.2.2.2;] security - cmd=Auth; email@example.com; protocol=soap;
Did you find an answer to this? I have not but I came up with a work around... I changed the username (gave the user a new name) on the offended account and then created a new account for the previously used email address. Set that new account (with the old username) to be locked, forward email to the new user account, and not retain any email. So now, the original email address (which was not an administrator) can still receive email, forward to another email address and not retain it. No one can log in to that account since it is locked so I am at least not worried that someone will eventually guess the password. Fear resolved. However, I would still like to know where the attack is coming from and how to block it... in case they start on another account. Zimbra administration is not open to the outside world. I am behind a firewall and everything has to get through that to reach the server anyway. Only have ports 25, 110, and 149 open (smpt, pop3, imap).
There are currently 1 users browsing this thread. (0 members and 1 guests)