Page 2 of 2 FirstFirst 12
Results 11 to 18 of 18

Thread: Account Lockout: How to find IP address of soap - AuthRequest

  1. #11
    wooby is offline Loyal Member
    Join Date
    Nov 2009
    Posts
    87
    Rep Power
    5

    Default

    Quote Originally Posted by samgreco View Post
    Has anyone figured this out yet? Seems someone is robotically attacking my server now. The audit log shows only local IP addresses. The Zimbra.Log file shows Pop3/IMAP/SMTP attempts, but not SOAP.

    At least once a day for the past few days, my admin account gets blocked and I can't seem to figure out where it is coming from.
    Can anyone help on how to get the login IP.

  2. #12
    dwidman is offline New Member
    Join Date
    Mar 2010
    Posts
    3
    Rep Power
    5

    Default

    I had this problem too on my Zimbra. They successfully hacked one of my accounts and sent 250.000 spam emails in 1 day. It seems to be a zombie farm of computers that are attacking. I've got more than 1 million of SOAP requests in my server from more than a few 100's of different ips.

    You can have some log info on my thread (that was ignored by everyone ). Help... my Zimbra is sending SPAM to the world!!!

    It looks like there is a flaw in the Zimbra software and some hackers are taking advantage of it.

  3. #13
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,016
    Rep Power
    24

    Default

    Quote Originally Posted by dwidman View Post
    It looks like there is a flaw in the Zimbra software and some hackers are taking advantage of it.
    What for poor passwords ?

  4. #14
    dwidman is offline New Member
    Join Date
    Mar 2010
    Posts
    3
    Rep Power
    5

    Default

    Quote Originally Posted by uxbod View Post
    What for poor passwords ?
    No need to be ironic (specially if you are a moderator).

    Can you confirm that the Zimbra system is 100% secure - without any security flaw that can be found?

    On my case, the password was hacked on a keylogger that was installed in a computer that one of our users accessed outside the company...

    I'm trying to put a light on an attack pattern by hackers and looking for a counter-measure to avoid it before it happens.

  5. #15
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,016
    Rep Power
    24

    Default

    Quote Originally Posted by dwidman View Post
    No need to be ironic (specially if you are a moderator).
    Sensible response IMHO especially when you have stated it looks like a flaw in Zimbra. Though lets not digress from what is a important subject. You could install Welcome to the Home of OSSEC and write a custom rule that looks for sustained soap logins within a particular time frame as a possibility. You could even get it to fire a auto-response a block via IP tables; or perhaps less invasive would be to just lock that particular account. That way the user would need to contact you.
    Last edited by uxbod; 03-17-2010 at 07:40 AM.

  6. #16
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,016
    Rep Power
    24

    Default

    Have a look in /opt/zimbra/log/audit.log for one of the suspect IPs and see what the user agent for the SOAP request was. Look for ua=

  7. #17
    brian is offline Project Contributor
    Join Date
    Jul 2006
    Posts
    623
    Rep Power
    9

    Default

    We ship a script that may help you track down offending IP's as well as coordinated attacks against specific accounts. Details on how to turn it on are below

    Bug 32586 – script to watch for auth failures
    Bugzilla - Wiki - Downloads - Before posting... Search!

  8. #18
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,016
    Rep Power
    24

    Default

    That is great Brian but in this instance the spammer had obtained a users password and therefore the soap calls would be valid. According to the RFE it only checks against authentication failures
    Code:
    The script ships with 4 authentication failure checks.
    -  IP/Account hash check which warns on 10 auth failures from an ip/account
    combo within a 60 second window.
    - Account check which warns on 15 auth failures from any ip within a 60 second
    window.  Attempts to detect a distributed hijack based attack on a single
    account.
    -  IP check which warns on 20 auth failures to any account within a 60 second
    windows.  Attempts to detect a single host based attack across multiple
    accounts.
    - Total auth failure check which warns on 1000 auth failures from any ip to any
    account within 60 seconds.  The recommended value on this is guestimated at 1%
    of active accounts for the MBS.

Page 2 of 2 FirstFirst 12

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. zmclamdctl is not running after upgrade
    By Darren in forum Installation
    Replies: 24
    Last Post: 10-10-2008, 09:10 AM
  2. SOAP AuthRequest Question
    By ab5602 in forum Developers
    Replies: 3
    Last Post: 08-06-2008, 08:55 PM
  3. I got Ubuntu and Zimbra working
    By pacsteel in forum Installation
    Replies: 73
    Last Post: 06-23-2008, 11:41 AM
  4. Replies: 4
    Last Post: 03-31-2008, 11:35 PM
  5. Replies: 8
    Last Post: 04-21-2007, 10:29 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •