honey auth failed: authentication failed for honey

[Pascal]

Hi,

since this morning, I am getting swamped by the following log entries:

Code:

Mar 30 08:57:28 zimbra saslauthd[31669]: zmauth: authenticating against elected url 'https://zimbra.fteu.lan:7071/service/admin/soap/' ...
Mar 30 08:57:28 zimbra saslauthd[31669]: zmpost: url='https://zimbra.fteu.lan:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for honey</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>com.zimbra.cs.account.AccountServiceException$AuthFailedServiceException: authentication failed for honey ExceptionId:btpool0-118://zimbra.fteu.lan:7071/service/admin/soap/:1301468248318:c8e22a553fa44c2f Code:account.AUTH_FAILED ^Iat com.zimbra.cs.account.AccountServiceException$AuthFailedServiceException.AUTH_FAILED(AccountServiceException.java:131) ^Iat com.zimbra.cs.account.AccountServiceException$AuthFailedServiceException.AUTH_FAILED(AccountServiceException.java:127) ^Iat com.zimbra.cs.service.account.Auth.handle(Auth.java:10
Mar 30 08:57:28 zimbra saslauthd[31669]: auth_zimbra: honey auth failed: authentication failed for honey
Mar 30 08:57:28 zimbra saslauthd[31669]: do_auth         : auth failure: [user=honey] [service=smtp] [realm=] [mech=zimbra] [reason=Unknown]
Mar 30 08:57:28 zimbra postfix/smtpd[29800]: warning: unknown[187.37.60.124]: SASL LOGIN authentication failed: authentication failure

These messages repeat without end. The IP stated in the last line resolves to a brazilian dialup host name, so this is very likey a spamming host. But I wonder what is happening there... Our Zimbra host is behind a NAT, only the SMTP(S), IMAP(S) and HTTPS ports are forwarded. I don't know how this can have something to do with the port at which the admin interface is running...

Maybe someone else has an idea

[John Siu]

Someone is trying to brute force your zimbra admin password through the soap interface. Try change the default 7071 to something else for admin console, or remove the port forwarding for 7071 in your nat router.

[Pascal]

Hi,

I do not have the port forwarded. That's why I'm wondering how this can happen.

For the time being, I have blocked the malicious IP with iptables.

[John Siu]

The soap interface is also available on the web GUI port.

[zeirum]

Hi Guys. I'm getting this same issue. My concern is whether this is a vulnerability in the zimbra system and what's the potential threat. Can someone from zimbra comment on this?

[rbreck]

Pascal,
Did you ever figure out what's going on here? We're experiencing the same issue with one of our users. Their calendar appear to stop syncing via CalDAV (iCAL) at the same time.