Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Accounts compromised - changed forwarding

  1. #1
    blueflametuna is offline Senior Member
    Join Date
    Jan 2010
    Location
    Idaho
    Posts
    60
    Rep Power
    5

    Default Accounts compromised - changed forwarding

    Someone (or some script) has been sending out SPAM (HotMail Phishing scam) from a couple accounts.

    This seems to be beyond simple guessing of passwords.
    Accounts get locked out if more than 3 attempts, so not a dictionary attack.

    The accounts show a forwarding address to a gmail account that has an auto reply to somewhere in Mongolia. (That's a dead end.)
    (Presumably to collect bounce notifications.)

    The bigger question is how are they getting into the Zimbra configuration to modify the forwarding address?

    These accounts, when found, get locked and the passwords changed.
    But within hours, they are sending again.

    (These are not bad customers. These are admin accounts!)

    Is there a way to inject an SQL query, or a command through the webmail interface?

    There are no strange IPs in the audit logs, except for failed attempts.

    Anyone have any knowledge or history on this?

    If the server is vulnerable, that can be fixed.
    But I need better tools than just searching through log files after the fact.

    Thanks,

    Jim

  2. #2
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,201
    Rep Power
    56

    Default

    If, as you say, there's no strange IPs in there then perhaps there's a compromised machine on your LAN that's sending the mail? Perhaps it has access to your Admin account? If the compromised account is 'sending again' is it therefore becoming unlocked? If the answer to that is yes then I'd suspect your Admin account (or a domain admin) may be compromised.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    blueflametuna is offline Senior Member
    Join Date
    Jan 2010
    Location
    Idaho
    Posts
    60
    Rep Power
    5

    Default

    Thanks Bill,

    I should have been more clear.

    The accounts (that we have seen this happening) are admin accounts.
    When the problem first started, we locked the account, then changed the password. We unlocked it, and thought that was that. But noooo.

    Within hours, the forwarding address had been changed again, and messages were being sent from the account.

    There is no external IP connecting to the server. These are from localhost using the soap interface. Somehow scripted through the web client.

    My guess is a compromised PC inside the company network. Most of those would have admin accounts. Perhaps they are just capturing the logins.

    So as soon as the password is changed (and used legitimately for the first time), the bad guys are in. That would make it more fun to find ...

    Is there a way to find out when a user's forwarding address gets modified?
    I know that if someone has a password, they can get in and change it through the web interface. SQL query?

  4. #4
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,201
    Rep Power
    56

    Default

    Have you checked in the /opt/zimbra/log/audit.log to see when connections are being made to the admin console. You can also look in the jetty logs for the IP address of connections to the server: site:zimbra.com +hacked +"ip address" - Yahoo! Search Results I don't believe there's any specific log that has a record of features that are changed in an account.

    I would also suggest you upgrade to the most recent version of Zimbra because of this: ZCS 6.0.9 and 5.0.25 Generally Available and OpenSSL Advisory
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #5
    blueflametuna is offline Senior Member
    Join Date
    Jan 2010
    Location
    Idaho
    Posts
    60
    Rep Power
    5

    Default

    I did find some interesting info in the mailbox.log:

    2011-02-02 03:19:13,087 INFO [btpool0-9] [name=joeuser@mynetwork.com;mid=663;oip=41.155.56.2 14;ua=zclient/5.0.21_GA_3150
    .RHEL5_64;] soap - BatchRequest
    2011-02-02 03:19:13,088 INFO [btpool0-9] [name=joeuser@mynetwork.com;mid=663;oip=41.155.56.2 14;ua=zclient/5.0.21_GA_3150
    .RHEL5_64;] soap - (batch) GetInfoRequest
    2011-02-02 03:19:13,519 INFO [btpool0-9] [name=joeuser@mynetwork.com;mid=663;oip=41.155.56.2 14;ua=zclient/5.0.21_GA_3150
    .RHEL5_64;] soap - (batch) SearchRequest

    I am not sure if the BatchRequest is normal for web client activity, but connecting from somewhere in Africa seems a bit suspicious.

    Later on in the dialog, there was this: (Again, from Africa)...

    2011-02-02 14:11:04,664 INFO [btpool0-82] [name=joeuser@mynetwork.com;mid=663;oip=41.155.37.1 97;ua=zclient/5.0.21_GA_315
    0.RHEL5_64;] soap - ModifyPrefsRequest
    2011-02-02 14:11:07,697 INFO [btpool0-82] [name=joeuser@mynetwork.com;mid=663;oip=41.155.37.1 97;ua=zclient/5.0.21_GA_315
    0.RHEL5_64;] misc - need to reset vacation info
    2011-02-02 14:11:08,011 INFO [btpool0-82] [name=joeuser@mynetwork.com;mid=663;oip=41.155.37.1 97;ua=zclient/5.0.21_GA_315
    0.RHEL5_64;] misc - reset vacation info


    And finally, the actual sending of the SPAM ...

    2011-02-02 14:12:17,496 INFO [btpool0-82] [name=joeuser@mynetwork.com;mid=663;oip=41.155.37.1 97;ua=zclient/5.0.21_GA_3150.RHEL5_64;] smtp - Sending message to MTA at mail.mynetwork.com, port 25: Message-ID=<1552434124.3791296684737496.JavaMail.root@myne twork.com>, replyType=r
    2011-02-02 14:14:18,814 INFO [btpool0-87] [name=joeuser@mynetwork.com;mid=663;oip=41.155.37.1 97;ua=zclient/5.0.21_GA_3150.RHEL5_64;] smtp - Sending message to MTA at mail.mynetwork.com, port 25: Message-ID=<662983951.3831296684858813.JavaMail.root@mynet work.com>, replyType=r


    Usually 50 or 100 recipients at a time, to yahoo users, alphabetically ...
    And dutifully added them to the user's Emailed Contacts folder.


    But there were no invalid login attemps.
    This script knew the password and connected directly.

    - - -

    The password was changed on the account by the admin:

    2011-02-02 16:52:54,545 INFO [btpool0-94] [name=myadmin@mynetwork.com;mid=3;ip=<my.ip.add.rss ;ua=ZimbraWebClient - FF3.0 (Win);] misc - delegated access: doc=SetPassword, authenticated account=myadmin@mynetwork.com, target account=joeuser@mynetwork.com


    Later in the day, the hits just kept coming...

    2011-02-02 21:40:58,831 INFO [btpool0-85] [name=joeuser@mynetwork.com;oip=41.217.65.11;ua=zcl ient/5.0.21_GA_3150.RHEL5_6
    4;] SoapEngine - handler exception: authentication failed for joeuser@mynetwork.com, account lockout


    Undaunted, the SPAMMER tried a second domain for the same user:


    2011-02-02 21:41:28,828 INFO [btpool0-108] [name=joeuser@mynetwork2.com;mid=4;oip=41.217.65.11 ;ua=zclient/5.0.21_GA_3150.RHEL5_64
    ;] soap - BatchRequest
    2011-02-02 21:41:28,828 INFO [btpool0-108] [name=joeuser@mynetwork2.com;mid=4;oip=41.217.65.11 ;ua=zclient/5.0.21_GA_3150.RHEL5_64
    ;] soap - (batch) GetInfoRequest
    2011-02-02 21:41:29,248 INFO [btpool0-108] [name=joeuser@mynetwork2.com;mid=4;oip=41.217.65.11 ;ua=zclient/5.0.21_GA_3150.RHEL5_64
    ;] soap - (batch) SearchRequest
    2011-02-02 21:42:41,765 INFO [btpool0-100] [name=joeuser@mynetwork2.com;mid=4;ip=41.217.65.11; ua=ZimbraWebClient - FF3.0 (Win)/5.
    0.21_GA_3150.RHEL5_64;] soap - GetContactsRequest
    2011-02-02 21:42:42,963 INFO [btpool0-100] [name=joeuser@mynetwork2.com;mid=4;ip=41.217.65.11; ua=ZimbraWebClient - FF3.0 (Win)/5.
    0.21_GA_3150.RHEL5_64;] soap - SearchRequest
    2011-02-02 21:47:44,998 INFO [btpool0-85] [name=joeh@mynetwork2.com;mid=4;ip=41.217.65.11;ua= ZimbraWebClient - FF3.0 (Win)/5.0
    .21_GA_3150.RHEL5_64;] soap - NoOpRequest

    . . .

    This IP is from ZOOM Mobile Nigeria. Probably a spoof anyway.
    But I do know it's using a FireFox web client!


    To make a short story long, there is more info available.
    Change passwords early and often. Use strong passwords.
    And do not use the same password on every account.

    An ounce of prevention ...

  6. #6
    xaqar is offline Member
    Join Date
    Aug 2010
    Posts
    11
    Rep Power
    4

    Default Compromised Accounts

    We've seen this before too - in our case it's phishing messages that users had responded to, either emailing their passwords to some unknown person, or following a link and putting their usernames and passwords there.
    Nothing like users giving away their keys...

  7. #7
    plamenflo is offline Banned
    Join Date
    Feb 2011
    Posts
    8
    Rep Power
    0

    Default gmail account?

    Hi,

    Can you give us the gmail account mentioned by you in the 1-st post?

    I have the relatively same situation yesterday.

  8. #8
    blueflametuna is offline Senior Member
    Join Date
    Jan 2010
    Location
    Idaho
    Posts
    60
    Rep Power
    5

    Default

    ceciltemepleton4@gmail.com [sic]

    Google provided this:
    I received a message in my hotmail that says if I don&#39;t disclose personal information, my account will be closed! - Gmail Help

    I kept digging and found traces of this particular phishing attempt going back to May, 2009. So this one has been in the wild for some time now.
    I am sure there are many variants.

    The sad part is that there are people out there that actually replied to this.
    And they included their passwords.

    Just out of curiosity, is there a way to prevent scripts from using the web client? Put up a splash page if the number of recipients is greater than 10?
    You've seen those images, barely human readable letters and digits that must be typed in before you can hit send? Can something like this be inserted into Zimbra?

  9. #9
    xaqar is offline Member
    Join Date
    Aug 2010
    Posts
    11
    Rep Power
    4

    Default

    On the ones that we saw that were compromised, I'm almost positive that it was an actual human doing the sending on the compromised account. Looked like someone copying and pasting 50-ish addresses into the To line.
    The actual message was often put into the signature of the compromised account.

  10. #10
    blueflametuna is offline Senior Member
    Join Date
    Jan 2010
    Location
    Idaho
    Posts
    60
    Rep Power
    5

    Default

    Just for grins and googles, here is a copy of the original phishing email:

    Subject: Final Warning!!!

    Due to the congestion in all Yahoo mail! users and removal of all used
    Old and New Accounts, Hot mail! would be shutting down all used
    Accounts, You will have to confirm your E-mail by FILL IN all
    requested Information below after clicking the reply button, or your
    account will be suspended within 48 hours for security reasons.The
    personal information requested are for the safety of your Yahoo mail!
    Account.

    * Full Name:..............................
    * Email: .......................................
    * Password: .........................................
    * Date of Birth: ......................................
    * Occupation : ............................................
    * Country Or Territory..........................

    After following the instructions in the sheet, your Yahoo mail! account
    will not be
    interrupted and will continue as normal. Thank you for your usual co-operation.
    We apologize for the inconvenience.Bookmark
    NOTE: Your information will not be shared and your password is safe.

    Sincerely,
    Hot mail! Customer Care
    Case number: 8941624
    Property: Account Security
    Contact date: 3-2-2011

    - - - -

    If you Google "Case number: 8941624" you can find many such examples.
    My suspicion is a script that has been borrowed, resold, and exploited numerous times. Based on the number of bounces and typos, it seems rather dated and unsophisticated. But a nuisance, nonetheless.

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Delete old archive accounts?
    By fnbwaseca in forum Administrators
    Replies: 0
    Last Post: 11-29-2010, 09:17 AM
  2. Forwarding to local email account(s)
    By hernad in forum Administrators
    Replies: 0
    Last Post: 06-27-2007, 05:16 AM
  3. 5.0 Install tasks
    By JoshuaPrismon in forum Installation
    Replies: 2
    Last Post: 06-06-2007, 12:18 PM
  4. httpd resident in memory but not accessible
    By AlexanderH in forum Installation
    Replies: 3
    Last Post: 05-11-2007, 09:19 AM
  5. Forwarding only accounts
    By jwilso2 in forum Administrators
    Replies: 2
    Last Post: 05-10-2006, 06:41 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •