Hello friends,
I have a Zimbra mail server, Release 6.0.3_GA_1915.UBUNTU8 UBUNTU8 FOSS edition.
A couple of days ago, our server went nuts and started to send SPAM to the world. After looking to the log files, I found that the spammers are using one of our users account. We immediately blocked the account and the SPAM stopped. But I can see in the logs that the spammers are still trying to send SPAM, and I would like to close the door.
Here is what I found on the /var/log/zimbra.log file:
Code:
Mar 12 00:11:49 mail postfix/smtpd[32610]: warning: unknown[201.240.141.141]: SASL LOGIN authentication failed: authentication failure
Mar 12 00:11:49 mail saslauthd[32511]: zmauth: authenticating against elected url 'https://mail.icla.com.br:7071/service/admin/soap/' ...
Mar 12 00:11:49 mail saslauthd[32511]: zmpost: url='https://mail.icla.com.br:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for samuel.goncalves@icla.com.br</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>btpool0-0:https://127.0.1.1:7071/service/admin/soap/:1268363509908:102d015cbfeae78d</Trace></Error></soap:Detail></soap:Fault></soap:Body></soap:Envelope>', hti->error=''
Mar 12 00:11:49 mail saslauthd[32511]: auth_zimbra: samuel.goncalves@icla.com.br auth failed: authentication failed for samuel.goncalves@icla.com.br
Mar 12 00:11:49 mail saslauthd[32511]: do_auth : auth failure: [user=samuel.goncalves@icla.com.br] [service=smtp] [realm=icla.com.br] [mech=zimbra] [reason=Unknown]
Mar 12 00:11:49 mail postfix/smtpd[32588]: warning: unknown[186.81.49.144]: SASL LOGIN authentication failed: authentication failure
Mar 12 00:11:50 mail postfix/smtpd[32588]: disconnect from unknown[186.81.49.144]
Mar 12 00:11:50 mail postfix/smtpd[3246]: connect from 14.85-85-248.dynamic.clientes.euskaltel.es[85.85.248.14]
Mar 12 00:11:50 mail postfix/smtpd[11465]: connect from 201-26-84-32.dsl.telesp.net.br[201.26.84.32]
Mar 12 00:11:50 mail saslauthd[32516]: zmauth: authenticating against elected url 'https://mail.icla.com.br:7071/service/admin/soap/' ...
Mar 12 00:11:51 mail saslauthd[32516]: zmpost: url='https://mail.icla.com.br:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for samuel.goncalves@icla.com.br</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>btpool0-0:https://127.0.1.1:7071/service/admin/soap/:1268363511030:102d015cbfeae78d</Trace></Error></soap:Detail></soap:Fault></soap:Body></soap:Envelope>', hti->error=''
Mar 12 00:11:51 mail saslauthd[32516]: auth_zimbra: samuel.goncalves@icla.com.br auth failed: authentication failed for samuel.goncalves@icla.com.br
Mar 12 00:11:51 mail saslauthd[32516]: do_auth : auth failure: [user=samuel.goncalves@icla.com.br] [service=smtp] [realm=icla.com.br] [mech=zimbra] [reason=Unknown]
Mar 12 00:11:51 mail postfix/smtpd[11465]: warning: 201-26-84-32.dsl.telesp.net.br[201.26.84.32]: SASL LOGIN authentication failed: authentication failure
Mar 12 00:11:51 mail saslauthd[32511]: zmauth: authenticating against elected url 'https://mail.icla.com.br:7071/service/admin/soap/' ...
Mar 12 00:11:51 mail saslauthd[32511]: zmpost: url='https://mail.icla.com.br:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for samuel.goncalves@icla.com.br</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>btpool0-3:https://127.0.1.1:7071/service/admin/soap/:1268363511358:102d015cbfeae78d</Trace></Error></soap:Detail></soap:Fault></soap:Body></soap:Envelope>', hti->error=''
Mar 12 00:11:51 mail saslauthd[32511]: auth_zimbra: samuel.goncalves@icla.com.br auth failed: authentication failed for samuel.goncalves@icla.com.br
So as I understand, the spammer/hacker is using a SOAP backdoor by the admin pages. By the way, the 7071 port is closed to the outside access on our firewall.
Now this is what I have on the /opt/zimbra/log/audit.log
Code:
2010-03-11 21:52:13,104 WARN [btpool0-77:https://127.0.1.1:7071/service/admin/soap/] [name=samuel.goncalves@icla.com.br;ip=127.0.1.1;] security - cmd=Auth; ac
count=samuel.goncalves@icla.com.br; protocol=soap; error=authentication failed for samuel.goncalves@icla.com.br, account(or domain) status is locked;
2010-03-11 21:52:13,315 WARN [btpool0-65:https://127.0.1.1:7071/service/admin/soap/] [name=samuel.goncalves@icla.com.br;ip=127.0.1.1;] security - cmd=Auth; ac
count=samuel.goncalves@icla.com.br; protocol=soap; error=authentication failed for samuel.goncalves@icla.com.br, account(or domain) status is locked;
2010-03-11 21:52:16,009 WARN [btpool0-77:https://127.0.1.1:7071/service/admin/soap/] [name=samuel.goncalves@icla.com.br;ip=127.0.1.1;] security - cmd=Auth; account=samuel.goncalves@icla.com.br; protocol=soap; error=authentication failed for samuel.goncalves@icla.com.br, account(or domain) status is locked;
2010-03-11 21:52:16,275 WARN [btpool0-77:https://127.0.1.1:7071/service/admin/soap/] [name=samuel.goncalves@icla.com.br;ip=127.0.1.1;] security - cmd=Auth; account=samuel.goncalves@icla.com.br; protocol=soap; error=authentication failed for samuel.goncalves@icla.com.br, account(or domain) status is locked;
2010-03-11 21:52:19,632 WARN [btpool0-77:https://127.0.1.1:7071/service/admin/soap/] [name=samuel.goncalves@icla.com.br;ip=127.0.1.1;] security - cmd=Auth; ac
count=samuel.goncalves@icla.com.br; protocol=soap; error=authentication failed for samuel.goncalves@icla.com.br, account(or domain) status is locked;
2010-03-11 21:52:19,954 WARN [btpool0-65:https://127.0.1.1:7071/service/admin/soap/] [name=samuel.goncalves@icla.com.br;ip=127.0.1.1;] security - cmd=Auth; ac
count=samuel.goncalves@icla.com.br; protocol=soap; error=authentication failed for samuel.goncalves@icla.com.br, account(or domain) status is locked;
2010-03-11 21:52:34,233 WARN [btpool0-65:https://127.0.1.1:7071/service/admin/soap/] [name=samuel.goncalves@icla.com.br;ip=127.0.1.1;] security - cmd=Auth; account=samuel.goncalves@icla.com.br; protocol=soap; error=authentication failed for samuel.goncalves@icla.com.br, account(or domain) status is locked;
2010-03-11 21:52:34,398 WARN [btpool0-65:https://127.0.1.1:7071/service/admin/soap/] [name=samuel.goncalves@icla.com.br;ip=127.0.1.1;] security - cmd=Auth; account=samuel.goncalves@icla.com.br; protocol=soap; error=authentication failed for samuel.goncalves@icla.com.br, account(or domain) status is locked;
2010-03-11 21:52:36,806 WARN [btpool0-65:https://127.0.1.1:7071/service/admin/soap/] [name=samuel.goncalves@icla.com.br;ip=127.0.1.1;] security - cmd=Auth; ac
count=samuel.goncalves@icla.com.br; protocol=soap; error=authentication failed for samuel.goncalves@icla.com.br, account(or domain) status is locked;
2010-03-11 21:52:40,781 WARN [btpool0-65:https://127.0.1.1:7071/service/admin/soap/] [name=samuel.goncalves@icla.com.br;ip=127.0.1.1;] security - cmd=Auth; ac
count=samuel.goncalves@icla.com.br; protocol=soap; error=authentication failed for samuel.goncalves@icla.com.br, account(or domain) status is locked;
2010-03-11 21:52:42,816 WARN [btpool0-65:https://127.0.1.1:7071/service/admin/soap/] [name=samuel.goncalves@icla.com.br;ip=127.0.1.1;] security - cmd=Auth; account=samuel.goncalves@icla.com.br; protocol=soap; error=authentication failed for samuel.goncalves@icla.com.br, account(or domain) status is locked;
2010-03-11 21:52:43,744 WARN [btpool0-65:https://127.0.1.1:7071/service/admin/soap/] [name=samuel.goncalves@icla.com.br;ip=127.0.1.1;] security - cmd=Auth; account=samuel.goncalves@icla.com.br; protocol=soap; error=authentication failed for samuel.goncalves@icla.com.br, account(or domain) status is locked;
This is after I locked the account.
And this is what I have on the /opt/zimbra/log/mailbox.log
Code:
2010-03-12 00:03:43,914 INFO [btpool0-3:https://127.0.1.1:7071/service/admin/soap/] [ip=127.0.1.1;] soap - AuthRequest
2010-03-12 00:03:43,983 INFO [btpool0-2:https://127.0.1.1:7071/service/admin/soap/] [ip=127.0.1.1;] soap - AuthRequest
2010-03-12 00:03:44,107 INFO [btpool0-3:https://127.0.1.1:7071/service/admin/soap/] [ip=127.0.1.1;] SoapEngine - handler exception: authentication failed for samuel.goncalves@icla.com.br, account not found
2010-03-12 00:03:44,163 INFO [btpool0-2:https://127.0.1.1:7071/service/admin/soap/] [ip=127.0.1.1;] SoapEngine - handler exception: authentication failed for samuel.goncalves@icla.com.br, account not found
2010-03-12 00:03:44,371 INFO [btpool0-2:https://127.0.1.1:7071/service/admin/soap/] [ip=127.0.1.1;] soap - AuthRequest
2010-03-12 00:03:44,421 INFO [btpool0-2:https://127.0.1.1:7071/service/admin/soap/] [ip=127.0.1.1;] SoapEngine - handler exception: authentication failed for samuel.goncalves@icla.com.br, account not found
2010-03-12 00:03:44,627 INFO [btpool0-2:https://127.0.1.1:7071/service/admin/soap/] [ip=127.0.1.1;] soap - AuthRequest
2010-03-12 00:03:44,710 INFO [btpool0-2:https://127.0.1.1:7071/service/admin/soap/] [ip=127.0.1.1;] SoapEngine - handler exception: authentication failed for samuel.goncalves@icla.com.br, account not found
2010-03-12 00:03:45,124 INFO [btpool0-3:https://127.0.1.1:7071/service/admin/soap/] [ip=127.0.1.1;] soap - AuthRequest
2010-03-12 00:03:45,212 INFO [btpool0-3:https://127.0.1.1:7071/service/admin/soap/] [ip=127.0.1.1;] SoapEngine - handler exception: authentication failed for samuel.goncalves@icla.com.br, account not found
2010-03-12 00:03:45,216 WARN [btpool0-2] [] log - SSL renegotiate denied: java.nio.channels.SocketChannel[connected local=/127.0.1.1:7071 remote=/127.0.1.1:53493]
2010-03-12 00:03:46,212 INFO [btpool0-3:https://127.0.1.1:7071/service/admin/soap/] [ip=127.0.1.1;] soap - AuthRequest
2010-03-12 00:03:46,253 INFO [btpool0-3:https://127.0.1.1:7071/service/admin/soap/] [ip=127.0.1.1;] SoapEngine - handler exception: authentication failed for samuel.goncalves@icla.com.br, account not found
2010-03-12 00:03:48,532 INFO [btpool0-2:https://127.0.1.1:7071/service/admin/soap/] [ip=127.0.1.1;] soap - AuthRequest
2010-03-12 00:03:48,656 INFO [btpool0-2:https://127.0.1.1:7071/service/admin/soap/] [ip=127.0.1.1;] SoapEngine - handler exception: authentication failed for samuel.goncalves@icla.com.br, account not found
2010-03-12 00:03:49,341 INFO [btpool0-2:https://127.0.1.1:7071/service/admin/soap/] [ip=127.0.1.1;] soap - AuthRequest
2010-03-12 00:03:49,443 INFO [btpool0-2:https://127.0.1.1:7071/service/admin/soap/] [ip=127.0.1.1;] SoapEngine - handler exception: authentication failed for samuel.goncalves@icla.com.br, account not found
2010-03-12 00:03:49,706 INFO [btpool0-2:https://127.0.1.1:7071/service/admin/soap/] [ip=127.0.1.1;] soap - AuthRequest
I renamed the account...
It looks like the attack is comming from port 127.0.1.1 ???? Is my linux hacked? Perhaps a rootkit? I run the rootkit tests and nothing was wrong.
So this is what I'm trying to do and I just don't have the knowledge to this, so that's why I need your help:
1) The email that is being sent have a sender name of a different domain. So how can I set zimbra/postfix to just send mail with the "FROM:" tag just from my own domain and not accept other domains like "hotmail.com", etc that is happening?
2) How can I stop this attacks??? I don't want to spend valuable bandwith and CPU just denying a silly attack from spammers every 1 second.
3) Any other ideas/suggestions to make my Zimbra safer are welcome.
Thanks,
David
Bugzilla
Wiki
Source
Help... my Zimbra is sending SPAM to the world!!! 
Linear Mode
