Accounts compromised - changed forwarding

[blueflametuna]

Someone (or some script) has been sending out SPAM (HotMail Phishing scam) from a couple accounts.

This seems to be beyond simple guessing of passwords.
Accounts get locked out if more than 3 attempts, so not a dictionary attack.

The accounts show a forwarding address to a gmail account that has an auto reply to somewhere in Mongolia. (That's a dead end.)
(Presumably to collect bounce notifications.)

The bigger question is how are they getting into the Zimbra configuration to modify the forwarding address?

These accounts, when found, get locked and the passwords changed.
But within hours, they are sending again.

(These are not bad customers. These are admin accounts!)

Is there a way to inject an SQL query, or a command through the webmail interface?

There are no strange IPs in the audit logs, except for failed attempts.

Anyone have any knowledge or history on this?

If the server is vulnerable, that can be fixed.
But I need better tools than just searching through log files after the fact.

Thanks,

Jim

[phoenix]

If, as you say, there's no strange IPs in there then perhaps there's a compromised machine on your LAN that's sending the mail? Perhaps it has access to your Admin account? If the compromised account is 'sending again' is it therefore becoming unlocked? If the answer to that is yes then I'd suspect your Admin account (or a domain admin) may be compromised.

[blueflametuna]

Thanks Bill,

I should have been more clear.

The accounts (that we have seen this happening) are admin accounts.
When the problem first started, we locked the account, then changed the password. We unlocked it, and thought that was that. But noooo.

Within hours, the forwarding address had been changed again, and messages were being sent from the account.

There is no external IP connecting to the server. These are from localhost using the soap interface. Somehow scripted through the web client.

My guess is a compromised PC inside the company network. Most of those would have admin accounts. Perhaps they are just capturing the logins.

So as soon as the password is changed (and used legitimately for the first time), the bad guys are in. That would make it more fun to find ...

Is there a way to find out when a user's forwarding address gets modified?
I know that if someone has a password, they can get in and change it through the web interface. SQL query?

[phoenix]

Have you checked in the /opt/zimbra/log/audit.log to see when connections are being made to the admin console. You can also look in the jetty logs for the IP address of connections to the server: site:zimbra.com +hacked +"ip address" - Yahoo! Search Results I don't believe there's any specific log that has a record of features that are changed in an account.

I would also suggest you upgrade to the most recent version of Zimbra because of this: ZCS 6.0.9 and 5.0.25 Generally Available and OpenSSL Advisory

[blueflametuna]

I did find some interesting info in the mailbox.log:

2011-02-02 03:19:13,087 INFO [btpool0-9] [name=joeuser@mynetwork.com;mid=663;oip=41.155.56.2 14;ua=zclient/5.0.21_GA_3150
.RHEL5_64;] soap - BatchRequest
2011-02-02 03:19:13,088 INFO [btpool0-9] [name=joeuser@mynetwork.com;mid=663;oip=41.155.56.2 14;ua=zclient/5.0.21_GA_3150
.RHEL5_64;] soap - (batch) GetInfoRequest
2011-02-02 03:19:13,519 INFO [btpool0-9] [name=joeuser@mynetwork.com;mid=663;oip=41.155.56.2 14;ua=zclient/5.0.21_GA_3150
.RHEL5_64;] soap - (batch) SearchRequest

I am not sure if the BatchRequest is normal for web client activity, but connecting from somewhere in Africa seems a bit suspicious.

Later on in the dialog, there was this: (Again, from Africa)...

2011-02-02 14:11:04,664 INFO [btpool0-82] [name=joeuser@mynetwork.com;mid=663;oip=41.155.37.1 97;ua=zclient/5.0.21_GA_315
0.RHEL5_64;] soap - ModifyPrefsRequest
2011-02-02 14:11:07,697 INFO [btpool0-82] [name=joeuser@mynetwork.com;mid=663;oip=41.155.37.1 97;ua=zclient/5.0.21_GA_315
0.RHEL5_64;] misc - need to reset vacation info
2011-02-02 14:11:08,011 INFO [btpool0-82] [name=joeuser@mynetwork.com;mid=663;oip=41.155.37.1 97;ua=zclient/5.0.21_GA_315
0.RHEL5_64;] misc - reset vacation info


And finally, the actual sending of the SPAM ...

2011-02-02 14:12:17,496 INFO [btpool0-82] [name=joeuser@mynetwork.com;mid=663;oip=41.155.37.1 97;ua=zclient/5.0.21_GA_3150.RHEL5_64;] smtp - Sending message to MTA at mail.mynetwork.com, port 25: Message-ID=<1552434124.3791296684737496.JavaMail.root@myne twork.com>, replyType=r
2011-02-02 14:14:18,814 INFO [btpool0-87] [name=joeuser@mynetwork.com;mid=663;oip=41.155.37.1 97;ua=zclient/5.0.21_GA_3150.RHEL5_64;] smtp - Sending message to MTA at mail.mynetwork.com, port 25: Message-ID=<662983951.3831296684858813.JavaMail.root@mynet work.com>, replyType=r


Usually 50 or 100 recipients at a time, to yahoo users, alphabetically ...
And dutifully added them to the user's Emailed Contacts folder.


But there were no invalid login attemps.
This script knew the password and connected directly.

- - -

The password was changed on the account by the admin:

2011-02-02 16:52:54,545 INFO [btpool0-94] [name=myadmin@mynetwork.com;mid=3;ip=<my.ip.add.rss ;ua=ZimbraWebClient - FF3.0 (Win);] misc - delegated access: doc=SetPassword, authenticated account=myadmin@mynetwork.com, target account=joeuser@mynetwork.com


Later in the day, the hits just kept coming...

2011-02-02 21:40:58,831 INFO [btpool0-85] [name=joeuser@mynetwork.com;oip=41.217.65.11;ua=zcl ient/5.0.21_GA_3150.RHEL5_6
4;] SoapEngine - handler exception: authentication failed for joeuser@mynetwork.com, account lockout


Undaunted, the SPAMMER tried a second domain for the same user:


2011-02-02 21:41:28,828 INFO [btpool0-108] [name=joeuser@mynetwork2.com;mid=4;oip=41.217.65.11 ;ua=zclient/5.0.21_GA_3150.RHEL5_64
;] soap - BatchRequest
2011-02-02 21:41:28,828 INFO [btpool0-108] [name=joeuser@mynetwork2.com;mid=4;oip=41.217.65.11 ;ua=zclient/5.0.21_GA_3150.RHEL5_64
;] soap - (batch) GetInfoRequest
2011-02-02 21:41:29,248 INFO [btpool0-108] [name=joeuser@mynetwork2.com;mid=4;oip=41.217.65.11 ;ua=zclient/5.0.21_GA_3150.RHEL5_64
;] soap - (batch) SearchRequest
2011-02-02 21:42:41,765 INFO [btpool0-100] [name=joeuser@mynetwork2.com;mid=4;ip=41.217.65.11; ua=ZimbraWebClient - FF3.0 (Win)/5.
0.21_GA_3150.RHEL5_64;] soap - GetContactsRequest
2011-02-02 21:42:42,963 INFO [btpool0-100] [name=joeuser@mynetwork2.com;mid=4;ip=41.217.65.11; ua=ZimbraWebClient - FF3.0 (Win)/5.
0.21_GA_3150.RHEL5_64;] soap - SearchRequest
2011-02-02 21:47:44,998 INFO [btpool0-85] [name=joeh@mynetwork2.com;mid=4;ip=41.217.65.11;ua= ZimbraWebClient - FF3.0 (Win)/5.0
.21_GA_3150.RHEL5_64;] soap - NoOpRequest

. . .

This IP is from ZOOM Mobile Nigeria. Probably a spoof anyway.
But I do know it's using a FireFox web client!


To make a short story long, there is more info available.
Change passwords early and often. Use strong passwords.
And do not use the same password on every account.

An ounce of prevention ...

[xaqar]

We've seen this before too - in our case it's phishing messages that users had responded to, either emailing their passwords to some unknown person, or following a link and putting their usernames and passwords there.
Nothing like users giving away their keys...

[plamenflo]

Hi,

Can you give us the gmail account mentioned by you in the 1-st post?

I have the relatively same situation yesterday.

[blueflametuna]

ceciltemepleton4@gmail.com [sic]

Google provided this:
I received a message in my hotmail that says if I don't disclose personal information, my account will be closed! - Gmail Help

I kept digging and found traces of this particular phishing attempt going back to May, 2009. So this one has been in the wild for some time now.
I am sure there are many variants.

The sad part is that there are people out there that actually replied to this.
And they included their passwords.

Just out of curiosity, is there a way to prevent scripts from using the web client? Put up a splash page if the number of recipients is greater than 10?
You've seen those images, barely human readable letters and digits that must be typed in before you can hit send? Can something like this be inserted into Zimbra?

[xaqar]

On the ones that we saw that were compromised, I'm almost positive that it was an actual human doing the sending on the compromised account. Looked like someone copying and pasting 50-ish addresses into the To line.
The actual message was often put into the signature of the compromised account.

[blueflametuna]

Just for grins and googles, here is a copy of the original phishing email:

Subject: Final Warning!!!

Due to the congestion in all Yahoo mail! users and removal of all used
Old and New Accounts, Hot mail! would be shutting down all used
Accounts, You will have to confirm your E-mail by FILL IN all
requested Information below after clicking the reply button, or your
account will be suspended within 48 hours for security reasons.The
personal information requested are for the safety of your Yahoo mail!
Account.

* Full Name:..............................
* Email: .......................................
* Password: .........................................
* Date of Birth: ......................................
* Occupation : ............................................
* Country Or Territory..........................

After following the instructions in the sheet, your Yahoo mail! account
will not be
interrupted and will continue as normal. Thank you for your usual co-operation.
We apologize for the inconvenience.Bookmark
NOTE: Your information will not be shared and your password is safe.

Sincerely,
Hot mail! Customer Care
Case number: 8941624
Property: Account Security
Contact date: 3-2-2011

- - - -

If you Google "Case number: 8941624" you can find many such examples.
My suspicion is a script that has been borrowed, resold, and exploited numerous times. Based on the number of bounces and typos, it seems rather dated and unsophisticated. But a nuisance, nonetheless.