Error on Zimbra.log

[zeirum]

I have seen these messages before, but I believe it is more serious than we take it for. As far as it goes for my situation I had investigated and found that this is a hack attempt to my admin console. My question is does anyone know if there is a vulnerability in the zimbra system where someone can login to the zimbra admin although the port is blocked? I have blocked the admin port from being accessed from outside our network however the log is showing that an outside IP is trying to access this port.

[phoenix]

Quote:

Originally Posted by zeirum

I have seen these messages before, but I believe it is more serious than we take it for. As far as it goes for my situation I had investigated and found that this is a hack attempt to my admin console. My question is does anyone know if there is a vulnerability in the zimbra system where someone can login to the zimbra admin although the port is blocked?

That would be a vulnerability in your firewall not Zimbra.

Quote:

Originally Posted by zeirum

I have blocked the admin port from being accessed from outside our network however the log is showing that an outside IP is trying to access this port.

If the port is blocked by your firewall then it's not possible that an external source can connect directly to your Zimbra server admin port.

[zeirum]

Ok yeah I've found another forum with someone experiencing similar issues.

honey auth failed: authentication failed for honey

And they mention that the attacker is trying to get through using the soap interface. As I have mention I just wanted to know what's the possible threat from this kind of attack and if anyone is aware of this.

I am assuming and hoping that nothing can happen once the attacker doesn't have valid credentials.

[phoenix]

Quote:

Originally Posted by zeirum

Ok yeah I've found another forum with someone experiencing similar issues.

honey auth failed: authentication failed for honey

And they mention that the attacker is trying to get through using the soap interface.

That wasn't quite the information you gave in your first post.

Quote:

Originally Posted by zeirum

As I have mention I just wanted to know what's the possible threat from this kind of attack and if anyone is aware of this.

Yes, everyone that runs a server that's visible on the internet is aware of 'attacks' against the server - it's called life.

Quote:

Originally Posted by zeirum

I am assuming and hoping that nothing can happen once the attacker doesn't have valid credentials.

Of course nothing can happen if they don't have valid credentials. It would also depend on what protection you have on your server (or network), whether you have strong passwords enforced (you should have) on the Zimbra server and whether you're on the most recent version of Zimbra.

You should update your forum profile with the output of the following command:

Code:

zmcontrol -v

[esatk]

Quote:

Originally Posted by zeirum

Ok yeah I've found another forum with someone experiencing similar issues.

honey auth failed: authentication failed for honey

And they mention that the attacker is trying to get through using the soap interface. As I have mention I just wanted to know what's the possible threat from this kind of attack and if anyone is aware of this.

I am assuming and hoping that nothing can happen once the attacker doesn't have valid credentials.

Welcome to real world my friend..