Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: More a hacker/security question than a Zimbra issue

  1. #1
    rusty is offline Loyal Member
    Join Date
    Nov 2007
    Posts
    92
    Rep Power
    7

    Default More a hacker/security question than a Zimbra issue

    I have had someone trying to gain access to two accounts on my server. One is my email address for my business, the other is the account I use to administer the Zimbra server 6.0.5. The second account is used ONLY to admin nothing else. This has been emanating mainly from China. I have OSSEC, but I also block the entire class a subnet in iptables. They turned up on another class a subnet and I block that, and so it goes. No other account out of hundreds on this server are ever attacked.

    I resorted to changing the mailbox part of the admin account name to obscure letters and numbers since I don't use it for email. This hacker is monitoring me somehow because they immediately attack the new email address. They also are now attacking these two accounts from other countries (probably through computers they have gained access to).

    How are they doing this? Some sort of sniffer program? I'm no security expert so I was looking for advice on how to protect my zimbra server from this persistent (over 6 months) of attacks targeted against me specifically. And now I suspect they are monitoring traffic between my IP and the servers IP. Should I access the admin web console strictly local using localhost address? I have physical access to the server.

  2. #2
    LMStone's Avatar
    LMStone is online now Moderator
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,367
    Rep Power
    10

    Default

    Sounds like the workstation from which you are administering Zimbra and/or the network from which you are administering Zimbra may be compromised.

    If it were me, I'd go get a Live CD of OpenSuSE or Ubuntu, go somewhere else and change the admin account name from there and see what happens.

    Have you scanned for rootkits on your Zimbra server?

    We went to Next Hope in NYC and DefCon in Vegas this year, and the malware has gotten so sophisticated it's pretty astounding...

    Hope that helps get you started,
    Mark

  3. #3
    n4bbq is offline Senior Member
    Join Date
    Oct 2008
    Location
    Dahlonega, Ga
    Posts
    52
    Rep Power
    6

    Default

    Here's a couple of rootkit checkers I use often

    rkhunter
    Code:
    sudo aptitude install rkhunter
    sudo rkhunter --update
    sudo rkhunter -c -sk
    chkrootkit
    Code:
    sudo apt-get install chkrootkit
    sudo chkrootkit

  4. #4
    LMStone's Avatar
    LMStone is online now Moderator
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,367
    Rep Power
    10

    Default

    All good, we also like SECCHECK because it shows what's changing on the system.

    So, have you tried changing the admin account from a Live distro off of your network yet? If no new hacking attempt is observed then you know the Zimbra server is likely OK.

    You can then try changing the admin account from your PC but off of your network as well. If this change results in a new hacking attempt, then you know your PC is compromised.

    Keep us posted!

    Good luck,
    Mark

  5. #5
    genotix is offline Junior Member
    Join Date
    Sep 2007
    Posts
    7
    Rep Power
    7

    Default

    Seems like I have the same issue here.
    Last week one of my user accounts' password suddenly changed.
    I only allow connection to port 7071 from a few IP addresses.

    Since today my admin account seems comprimised.
    I've tried changing the admin password with the:
    command

    su - zimbra
    zmprov sp <admin email address> <new password>


    Unfortunately this didn't enable me to log-in into the system again under admin privileges.
    (The login doesn't pass the verification process)
    I'm now trying to do a zimbra upgrade; assuming the web interface of zimbra has been comprimised. Hope this helps.

    It doesn't seem like the server itself is hacked though since my root account seems fine and no rootkits can be found by the above rootkit detection applications.

  6. #6
    genotix is offline Junior Member
    Join Date
    Sep 2007
    Posts
    7
    Rep Power
    7

    Default

    After reinstall of zimbra I was able to reset my Admin and own account's password.
    Installed tripwire directly ; any other recommended tools for this?

  7. #7
    n4bbq is offline Senior Member
    Join Date
    Oct 2008
    Location
    Dahlonega, Ga
    Posts
    52
    Rep Power
    6

    Default

    Quote Originally Posted by genotix View Post
    After reinstall of zimbra I was able to reset my Admin and own account's password.
    Installed tripwire directly ; any other recommended tools for this?
    No tools other than mentioned already and keeping all the unnecessary services off and I run ssh on a different port (not 22).

  8. #8
    genotix is offline Junior Member
    Join Date
    Sep 2007
    Posts
    7
    Rep Power
    7

    Default

    Yeah, well from the internet only port 25 and 80 are open actually.
    I've blocked direct root login, and only allowed access to port 22 and 7071 from a handful of IP addresses.

    Somehow someone still got access to the admin console and disabled my account.
    Looking at the 'damage done' there was no root access.

    Given the setup, this is a pretty tough job, so I'm kind of suspecting a Zimbra leak actually.

  9. #9
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,470
    Rep Power
    56

    Default

    Quote Originally Posted by genotix View Post
    Given the setup, this is a pretty tough job, so I'm kind of suspecting a Zimbra leak actually.
    What sort of 'Zimbra leak' do you think it might be? You've restricted the Admin UI to a few addresses, have you also enforced strong passwords on that account, have you checked the log files to see when the account was accessed and does it agree with when an admin was on the server (I also assume that there's limited access to that account)? How do you know this wasn't access via port 22 and a cli change to disable the account? Do you have a strong password set-up for that access as well? Do you have any internal monitoring for unauthorised access or changes to your systems? Have you also scanned your LAN for rootkits/viruses/bots etc.?

    Why do you have port 80 forwarded to the Zimbra server, is it for web ui access? That's also not a good idea as the password will go in the clear during a login attempt. You really should have external users use https for their web ui access.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  10. #10
    genotix is offline Junior Member
    Join Date
    Sep 2007
    Posts
    7
    Rep Power
    7

    Default

    I've went through the /opt/zimbra/log/audit.log and found the following:
    2010-09-22 05:50:07,379 INFO [btpool0-839://localhost:7071/service/admin/soap/AuthRequest] [name=zimbra;ip=127.0.0.1;] security - cmd=AdminAuth; account=zimbra;
    2010-09-22 05:50:07,423 INFO [btpool0-839://localhost:7071/service/admin/soap/AuthRequest] [name=zimbra;ip=127.0.0.1;] security - cmd=Auth; account=zimbra; protocol=soap;
    2010-09-22 05:58:16,635 INFO [ImapServer-8364] [ip=62.223.9.236;] security - cmd=Auth; account=[my@email.address]; protocol=imap;
    2010-09-22 05:58:20,598 INFO [btpool0-839://mail.[myserver.ext]/dav/[my@email.address]/] [ip=62.223.9.236;ua=DAVKit/5.0 (752);; iCalendar/1 (42.1);; iPhone/3.2.2 7B500;] security - cmd=Auth; account=[my@email.address]; protocol=http_basic;
    2010-09-22 06:00:08,006 INFO [btpool0-839://localhost:7071/service/admin/soap/AuthRequest] [name=zimbra;ip=127.0.0.1;] security - cmd=AdminAuth; account=zimbra;
    2010-09-22 06:00:08,050 INFO [btpool0-839://localhost:7071/service/admin/soap/AuthRequest] [name=zimbra;ip=127.0.0.1;] security - cmd=Auth; account=zimbra; protocol=soap;
    2010-09-22 06:09:15,875 WARN [ImapServer-8367] [ip=203.124.16.150;] security - cmd=Auth; account=[my@email.address]; protocol=imap; error=authentication failed for admin, invalid password;
    2010-09-22 06:09:15,891 WARN [ImapServer-8366] [ip=203.124.16.150;] security - cmd=Auth; account=[my@email.address]; protocol=imap; error=authentication failed for root, invalid password;
    2010-09-22 06:09:17,793 WARN [ImapServer-8366] [ip=203.124.16.150;] security - cmd=Auth; account=[my@email.address]; protocol=imap; error=authentication failed for admin, invalid password;
    2010-09-22 06:09:18,006 WARN [ImapServer-8368] [ip=203.124.16.150;] security - cmd=Auth; account=[my@email.address]; protocol=imap; error=authentication failed for root, invalid password;
    2010-09-22 06:09:20,770 WARN [ImapServer-8368] [ip=203.124.16.150;] security - cmd=Auth; account=[my@email.address]; protocol=imap; error=authentication failed for admin, invalid password;
    2010-09-22 06:09:20,876 WARN [ImapServer-8367] [ip=203.124.16.150;] security - cmd=Auth; account=[my@email.address]; protocol=imap; error=authentication failed for root, invalid password;
    2010-09-22 06:09:26,323 WARN [ImapServer-8366] [ip=203.124.16.150;] security - cmd=Auth; account=[my@email.address]; protocol=imap; error=authentication failed for admin, invalid password;
    2010-09-22 06:09:26,524 WARN [ImapServer-8368] [ip=203.124.16.150;] security - cmd=Auth; account=[my@email.address]; protocol=imap; error=authentication failed for root, invalid password;
    2010-09-22 06:09:29,211 WARN [ImapServer-8367] [ip=203.124.16.150;] security - cmd=Auth; account=[my@email.address]; protocol=imap; error=authentication failed for admin, invalid password;
    2010-09-22 06:09:29,230 WARN [ImapServer-8368] [ip=203.124.16.150;] security - cmd=Auth; account=[my@email.address]; protocol=imap; error=authentication failed for root, invalid password;
    2010-09-22 06:09:31,928 INFO [ImapServer-8368] [ip=203.124.16.150;] security - cmd=Auth; account=[my@email.address]; error=account lockout due to too many failed logins;
    2010-09-22 06:09:32,018 WARN [ImapServer-8368] [ip=203.124.16.150;] security - cmd=Auth; account=[my@email.address]; protocol=imap; error=authentication failed for admin, invalid password;
    2010-09-22 06:09:32,119 WARN [ImapServer-8366] [ip=203.124.16.150;] security - cmd=Auth; account=[my@email.address]; protocol=imap; error=authentication failed for root, account lockout;
    2010-09-22 06:09:34,907 WARN [ImapServer-8366] [ip=203.124.16.150;] security - cmd=Auth; account=[my@email.address]; protocol=imap; error=authentication failed for admin, account lockout;
    2010-09-22 06:09:35,092 WARN [ImapServer-8367] [ip=203.124.16.150;] security - cmd=Auth; account=[my@email.address]; protocol=imap; error=authentication failed for root, account lockout;
    ...

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. [SOLVED] Postfix unavailable - queue down
    By pmona in forum Administrators
    Replies: 20
    Last Post: 01-21-2010, 10:03 PM
  2. postfix relay=none status=bounced for local mails
    By vdd in forum Administrators
    Replies: 1
    Last Post: 08-06-2009, 08:05 AM
  3. dspam logrotate errors
    By michaeln in forum Users
    Replies: 7
    Last Post: 02-19-2007, 12:45 PM
  4. huge log size
    By rmvg in forum Administrators
    Replies: 5
    Last Post: 01-02-2007, 10:39 AM
  5. Unable to start tomcat
    By chanck in forum Administrators
    Replies: 11
    Last Post: 06-11-2006, 12:58 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •