More a hacker/security question than a Zimbra issue

[rusty]

I have had someone trying to gain access to two accounts on my server. One is my email address for my business, the other is the account I use to administer the Zimbra server 6.0.5. The second account is used ONLY to admin nothing else. This has been emanating mainly from China. I have OSSEC, but I also block the entire class a subnet in iptables. They turned up on another class a subnet and I block that, and so it goes. No other account out of hundreds on this server are ever attacked.

I resorted to changing the mailbox part of the admin account name to obscure letters and numbers since I don't use it for email. This hacker is monitoring me somehow because they immediately attack the new email address. They also are now attacking these two accounts from other countries (probably through computers they have gained access to).

How are they doing this? Some sort of sniffer program? I'm no security expert so I was looking for advice on how to protect my zimbra server from this persistent (over 6 months) of attacks targeted against me specifically. And now I suspect they are monitoring traffic between my IP and the servers IP. Should I access the admin web console strictly local using localhost address? I have physical access to the server.

[LMStone]

Sounds like the workstation from which you are administering Zimbra and/or the network from which you are administering Zimbra may be compromised.

If it were me, I'd go get a Live CD of OpenSuSE or Ubuntu, go somewhere else and change the admin account name from there and see what happens.

Have you scanned for rootkits on your Zimbra server?

We went to Next Hope in NYC and DefCon in Vegas this year, and the malware has gotten so sophisticated it's pretty astounding...

Hope that helps get you started,
Mark

[n4bbq]

Here's a couple of rootkit checkers I use often

rkhunter

Code:

sudo aptitude install rkhunter
sudo rkhunter --update
sudo rkhunter -c -sk

chkrootkit

Code:

sudo apt-get install chkrootkit
sudo chkrootkit

[LMStone]

All good, we also like SECCHECK because it shows what's changing on the system.

So, have you tried changing the admin account from a Live distro off of your network yet? If no new hacking attempt is observed then you know the Zimbra server is likely OK.

You can then try changing the admin account from your PC but off of your network as well. If this change results in a new hacking attempt, then you know your PC is compromised.

Keep us posted!

Good luck,
Mark

[genotix]

Seems like I have the same issue here.
Last week one of my user accounts' password suddenly changed.
I only allow connection to port 7071 from a few IP addresses.

Since today my admin account seems comprimised.
I've tried changing the admin password with the:
command

su - zimbra
zmprov sp <admin email address> <new password>


Unfortunately this didn't enable me to log-in into the system again under admin privileges.
(The login doesn't pass the verification process)
I'm now trying to do a zimbra upgrade; assuming the web interface of zimbra has been comprimised. Hope this helps.

It doesn't seem like the server itself is hacked though since my root account seems fine and no rootkits can be found by the above rootkit detection applications.

[genotix]

After reinstall of zimbra I was able to reset my Admin and own account's password.
Installed tripwire directly ; any other recommended tools for this?

[n4bbq]

Quote:

Originally Posted by genotix

After reinstall of zimbra I was able to reset my Admin and own account's password.
Installed tripwire directly ; any other recommended tools for this?

No tools other than mentioned already and keeping all the unnecessary services off and I run ssh on a different port (not 22).

[genotix]

Yeah, well from the internet only port 25 and 80 are open actually.
I've blocked direct root login, and only allowed access to port 22 and 7071 from a handful of IP addresses.

Somehow someone still got access to the admin console and disabled my account.
Looking at the 'damage done' there was no root access.

Given the setup, this is a pretty tough job, so I'm kind of suspecting a Zimbra leak actually.

[phoenix]

Quote:

Originally Posted by genotix

Given the setup, this is a pretty tough job, so I'm kind of suspecting a Zimbra leak actually.

What sort of 'Zimbra leak' do you think it might be? You've restricted the Admin UI to a few addresses, have you also enforced strong passwords on that account, have you checked the log files to see when the account was accessed and does it agree with when an admin was on the server (I also assume that there's limited access to that account)? How do you know this wasn't access via port 22 and a cli change to disable the account? Do you have a strong password set-up for that access as well? Do you have any internal monitoring for unauthorised access or changes to your systems? Have you also scanned your LAN for rootkits/viruses/bots etc.?

Why do you have port 80 forwarded to the Zimbra server, is it for web ui access? That's also not a good idea as the password will go in the clear during a login attempt. You really should have external users use https for their web ui access.

[genotix]

I've went through the /opt/zimbra/log/audit.log and found the following:

Quote:

2010-09-22 05:50:07,379 INFO [btpool0-839://localhost:7071/service/admin/soap/AuthRequest] [name=zimbra;ip=127.0.0.1;] security - cmd=AdminAuth; account=zimbra;
2010-09-22 05:50:07,423 INFO [btpool0-839://localhost:7071/service/admin/soap/AuthRequest] [name=zimbra;ip=127.0.0.1;] security - cmd=Auth; account=zimbra; protocol=soap;
2010-09-22 05:58:16,635 INFO [ImapServer-8364] [ip=62.223.9.236;] security - cmd=Auth; account=[my@email.address]; protocol=imap;
2010-09-22 05:58:20,598 INFO [btpool0-839://mail.[myserver.ext]/dav/[my@email.address]/] [ip=62.223.9.236;ua=DAVKit/5.0 (752);; iCalendar/1 (42.1);; iPhone/3.2.2 7B500;] security - cmd=Auth; account=[my@email.address]; protocol=http_basic;
2010-09-22 06:00:08,006 INFO [btpool0-839://localhost:7071/service/admin/soap/AuthRequest] [name=zimbra;ip=127.0.0.1;] security - cmd=AdminAuth; account=zimbra;
2010-09-22 06:00:08,050 INFO [btpool0-839://localhost:7071/service/admin/soap/AuthRequest] [name=zimbra;ip=127.0.0.1;] security - cmd=Auth; account=zimbra; protocol=soap;
2010-09-22 06:09:15,875 WARN [ImapServer-8367] [ip=203.124.16.150;] security - cmd=Auth; account=[my@email.address]; protocol=imap; error=authentication failed for admin, invalid password;
2010-09-22 06:09:15,891 WARN [ImapServer-8366] [ip=203.124.16.150;] security - cmd=Auth; account=[my@email.address]; protocol=imap; error=authentication failed for root, invalid password;
2010-09-22 06:09:17,793 WARN [ImapServer-8366] [ip=203.124.16.150;] security - cmd=Auth; account=[my@email.address]; protocol=imap; error=authentication failed for admin, invalid password;
2010-09-22 06:09:18,006 WARN [ImapServer-8368] [ip=203.124.16.150;] security - cmd=Auth; account=[my@email.address]; protocol=imap; error=authentication failed for root, invalid password;
2010-09-22 06:09:20,770 WARN [ImapServer-8368] [ip=203.124.16.150;] security - cmd=Auth; account=[my@email.address]; protocol=imap; error=authentication failed for admin, invalid password;
2010-09-22 06:09:20,876 WARN [ImapServer-8367] [ip=203.124.16.150;] security - cmd=Auth; account=[my@email.address]; protocol=imap; error=authentication failed for root, invalid password;
2010-09-22 06:09:26,323 WARN [ImapServer-8366] [ip=203.124.16.150;] security - cmd=Auth; account=[my@email.address]; protocol=imap; error=authentication failed for admin, invalid password;
2010-09-22 06:09:26,524 WARN [ImapServer-8368] [ip=203.124.16.150;] security - cmd=Auth; account=[my@email.address]; protocol=imap; error=authentication failed for root, invalid password;
2010-09-22 06:09:29,211 WARN [ImapServer-8367] [ip=203.124.16.150;] security - cmd=Auth; account=[my@email.address]; protocol=imap; error=authentication failed for admin, invalid password;
2010-09-22 06:09:29,230 WARN [ImapServer-8368] [ip=203.124.16.150;] security - cmd=Auth; account=[my@email.address]; protocol=imap; error=authentication failed for root, invalid password;
2010-09-22 06:09:31,928 INFO [ImapServer-8368] [ip=203.124.16.150;] security - cmd=Auth; account=[my@email.address]; error=account lockout due to too many failed logins;
2010-09-22 06:09:32,018 WARN [ImapServer-8368] [ip=203.124.16.150;] security - cmd=Auth; account=[my@email.address]; protocol=imap; error=authentication failed for admin, invalid password;
2010-09-22 06:09:32,119 WARN [ImapServer-8366] [ip=203.124.16.150;] security - cmd=Auth; account=[my@email.address]; protocol=imap; error=authentication failed for root, account lockout;
2010-09-22 06:09:34,907 WARN [ImapServer-8366] [ip=203.124.16.150;] security - cmd=Auth; account=[my@email.address]; protocol=imap; error=authentication failed for admin, account lockout;
2010-09-22 06:09:35,092 WARN [ImapServer-8367] [ip=203.124.16.150;] security - cmd=Auth; account=[my@email.address]; protocol=imap; error=authentication failed for root, account lockout;
...