Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Mailbox are getting hacked...Need Urgent helppppp

  1. #1
    chandu is offline Elite Member
    Join Date
    Dec 2007
    Posts
    445
    Rep Power
    7

    Default Mailbox are getting hacked...Need Urgent helppppp




    Hi guys,

    Since yesterday, our customer's 2-3 email IDs got hacked and more than 10000 mails are getting generated by these emial IDs and our mail server Ip is getting blacklisted on internet.

    In audit log, I am getting below kinf of authentication for hacked email IDs :

    ################################################

    2012-04-24 14:41:55,163 INFO [btpool0-5502://mail.test.com:7071/service/admin/soap/] [name=test@example.com;ip=10.10.11.2;] security - cmd=Auth; account=test@example.com; protocol=soap;
    2012-04-24 14:41:55,164 INFO [btpool0-5471://mail.test.com:7071/service/admin/soap/] [name=test@example.com;ip=10.10.11.2;] security - cmd=Auth; account=test@example.com; protocol=soap;
    2012-04-24 14:41:55,175 INFO [btpool0-5483://mail.test.com:7071/service/admin/soap/] [name=test@example.com;ip=10.10.11.2;] security - cmd=Auth; account=test@example.com; protocol=soap;
    2012-04-24 14:41:55,175 INFO [btpool0-5453://mail.test.com:7071/service/admin/soap/] [name=test@example.com;ip=10.10.11.2;] security - cmd=Auth; account=test@example.com; protocol=soap;
    2012-04-24 14:41:55,197 INFO [btpool0-5471://mail.test.com:7071/service/admin/soap/] [name=test@example.com;ip=10.10.11.2;] security - cmd=Auth; account=test@example.com; protocol=soap;
    2012-04-24 14:41:55,213 INFO [btpool0-5471://mail.test.com:7071/service/admin/soap/] [name=test@example.com;ip=10.10.11.2;] security - cmd=Auth; account=test@example.com; protocol=soap;
    2012-04-24 14:41:55,213 INFO [btpool0-5483://mail.test.com:7071/service/admin/soap/] [name=test@example.com;ip=10.10.11.2;] security - cmd=Auth; account=test@example.com; protocol=soap;
    2012-04-24 14:41:55,213 INFO [btpool0-5453://mail.test.com:7071/service/admin/soap/] [name=test@example.com;ip=10.10.11.2;] security - cmd=Auth; account=test@example.com; protocol=soap;
    2012-04-24 14:41:55,216 INFO [btpool0-5501://mail.test.com:7071/service/admin/soap/] [name=test@example.com;ip=10.10.11.2;] security - cmd=Auth; account=test@example.com; protocol=soap;
    2012-04-24 14:41:55,231 INFO [btpool0-5486://mail.test.com:7071/service/admin/soap/] [name=test@example.com;ip=10.10.11.2;] security - cmd=Auth; account=test@example.com; protocol=soap;
    2012-04-24 14:41:55,354 INFO [btpool0-5486://mail.test.com:7071/service/admin/soap/] [name=test@example.com;ip=10.10.11.2;] security - cmd=Auth; account=test@example.com; protocol=soap;
    2012-04-24 14:41:55,354 INFO [btpool0-5483://mail.test.com:7071/service/admin/soap/] [name=test@example.com;ip=10.10.11.2;] security - cmd=Auth; account=test@example.com; protocol=soap;
    2012-04-24 14:41:55,355 INFO [btpool0-5502://mail.test.com:7071/service/admin/soap/] [name=test@example.com;ip=10.10.11.2;] security - cmd=Auth; account=test@example.com; protocol=soap;

    ##############################################



    I really don't understand. Can someone please explain me these audit logs. From where such authentication can happened ? As I haven't opn 7071 port on internet....

    Please help....

  2. #2
    liverpoolfcfan's Avatar
    liverpoolfcfan is offline Outstanding Member
    Join Date
    Oct 2009
    Location
    Dublin, IRELAND
    Posts
    710
    Rep Power
    6

    Default

    Port 7071 is not your mail account access port - that would be 80 or 443 normally.

    Port 7071 is the admin portal - and you should normally just have this available from your local network.

  3. #3
    chandu is offline Elite Member
    Join Date
    Dec 2007
    Posts
    445
    Rep Power
    7

    Default

    Thanks for your reply..

    Yes ..right 7071 is only open on my local network .and 443 and 80 are open on internet..my zimbra server is behind firewall.
    .Are these logs are normal ?

    Because I am confused why authentication is happening through ://mail.test.com:7071/service/admin/soap/ ..in this case IP 10.10.11.2 is my mail server private ip....

  4. #4
    liverpoolfcfan's Avatar
    liverpoolfcfan is offline Outstanding Member
    Join Date
    Oct 2009
    Location
    Dublin, IRELAND
    Posts
    710
    Rep Power
    6

    Default

    Have you enabled any zimlets that might not have been properly configured ?

    test@example.com seems like a default that would be added to a configuration file that needed to be amended prior to use.

  5. #5
    chandu is offline Elite Member
    Join Date
    Dec 2007
    Posts
    445
    Rep Power
    7

    Default

    No I am not using any zimlets..this email id is our geniune email id...I have closed this id for time being...but this is the third time it happened from last 2 days with 3 different email ids.

  6. #6
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,470
    Rep Power
    56

    Default

    Quote Originally Posted by chandu View Post
    Thanks for your reply..

    Yes ..right 7071 is only open on my local network .and 443 and 80 are open on internet..my zimbra server is behind firewall.
    .Are these logs are normal ?

    Because I am confused why authentication is happening through ://mail.test.com:7071/service/admin/soap/ ..in this case IP 10.10.11.2 is my mail server private ip....
    If the admin port is only open to your LAN and you're seeing connection attempts to this port then you most likely have an (prehaps more than one) infected PC on your LAN.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  7. #7
    chandu is offline Elite Member
    Join Date
    Dec 2007
    Posts
    445
    Rep Power
    7

    Default

    Guys,

    some more logs ....Please help..


    Apr 24 14:41:54 mail saslauthd[14311]: zmauth: authenticating against elected url 'https://mail.test.com:7071/service/admin/soap/' (https://mail.test.com:7071/service/admin/soap/%27) ...
    Apr 24 14:41:54 mail slapd[4893]: slap_queue_csn: queing 0x440804f0 20120424091154.744278Z#000000#000#000000
    Apr 24 14:41:54 mail saslauthd[14313]: zmauth: authenticating against elected url 'https://mail.test.com:7071/service/admin/soap/' (https://mail.test.com:7071/service/admin/soap/%27) ...
    Apr 24 14:41:54 mail saslauthd[14316]: zmauth: authenticating against elected url 'https://mail.test.com:7071/service/admin/soap/' (https://mail.test.com:7071/service/admin/soap/%27) ...
    Apr 24 14:41:54 mail saslauthd[14314]: zmauth: authenticating against elected url 'https://mail.test.com:7071/service/admin/soap/' (https://mail.test.com:7071/service/admin/soap/%27) ...
    Apr 24 14:41:54 mail saslauthd[14315]: zmauth: authenticating against elected url 'https://mail.test.com:7071/service/admin/soap/' (https://mail.test.com:7071/service/admin/soap/%27) ...
    Apr 24 14:41:54 mail postfix/smtpd[12176]: connect from mail-pz0-f43.google.com[209.85.210.43]
    Apr 24 14:41:55 mail slapd[4893]: slap_queue_csn: queing 0x4207c4f0 20120424091155.133576Z#000000#000#000000
    Apr 24 14:41:55 mail slapd[4893]: slap_queue_csn: queing 0x448814f0 20120424091155.133672Z#000000#000#000000
    Apr 24 14:41:55 mail slapd[4893]: slap_queue_csn: queing 0x4287d4f0 20120424091155.133739Z#000000#000#000000
    Apr 24 14:41:55 mail slapd[4893]: slap_queue_csn: queing 0x416864f0 20120424091155.134109Z#000000#000#000000
    Apr 24 14:41:55 mail slapd[4893]: => bdb_idl_insert_key: c_put id failed: DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock (-30994)
    Apr 24 14:41:55 mail slapd[4893]: conn=643389 op=2: attribute "entryCSN" index add failure
    Apr 24 14:41:55 mail slapd[4893]: => bdb_idl_insert_key: c_put id failed: DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock (-30994)
    Apr 24 14:41:55 mail slapd[4893]: slap_graduate_commit_csn: removing 0x10de5450 20120424091154.744278Z#000000#000#000000
    Apr 24 14:41:55 mail slapd[4893]: conn=643390 op=2: attribute "entryCSN" index add failure
    Apr 24 14:41:55 mail slapd[4893]: => bdb_idl_delete_key: c_get failed: DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock (-30994)
    Apr 24 14:41:55 mail slapd[4893]: conn=643391 op=2: attribute "entryCSN" index delete failure
    Apr 24 14:41:55 mail slapd[4893]: slap_graduate_commit_csn: removing 0x10246bd0 20120424091155.133576Z#000000#000#000000
    Apr 24 14:41:55 mail saslauthd[14313]: zmpost: url='https://mail.test.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><change token="14365"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_56a08d45ef3 01e678a2ee082264ba0ddcb2a04b9_69643d33363a34386365 346465302d303565362d346232392d393537372d3365363331 333836623033393b6578703d31333a31333335343331353135 3136343b76763d313a333b747970653d363a7a696d6272613b </authToken><lifetime>172800000</lifetime><skin>beach</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''
    Apr 24 14:41:55 mail saslauthd[14313]: auth_zimbra: test@example.com auth OK
    Apr 24 14:41:55 mail saslauthd[14313]: zmauth: authenticating against elected url 'https://mail.test.com:7071/service/admin/soap/' (https://mail.test.com:7071/service/admin/soap/%27) ...
    Apr 24 14:41:55 mail saslauthd[14311]: zmpost: url='https://mail.test.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><change token="14365"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_e979ed74d58 54483db46ea46fa272e4cb1d33957_69643d33363a34386365 346465302d303565362d346232392d393537372d3365363331 333836623033393b6578703d31333a31333335343331353135 3136333b76763d313a333b747970653d363a7a696d6272613b </authToken><lifetime>172799999</lifetime><skin>beach</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''

  8. #8
    chandu is offline Elite Member
    Join Date
    Dec 2007
    Posts
    445
    Rep Power
    7

    Default

    Hi Bill,

    Thanks for your reply..

    No we are not using zimbra client from our LAN..only our customer use it through interent and zimbra server is behind firewall where 7071 is blocked. And that's why I want to understand the kind of 7071 related logs which are getting those are normal one or such authentication should not happened at all ?? To be honest I didnt understand these logs..

    I am thinking to implement reject_sender_login_mismatch parameter..will that helpful..I am searching on zimbra forum also...

  9. #9
    liverpoolfcfan's Avatar
    liverpoolfcfan is offline Outstanding Member
    Join Date
    Oct 2009
    Location
    Dublin, IRELAND
    Posts
    710
    Rep Power
    6

    Default

    Do you use external authentication to ldap ? Check this out

    Zimbra server suddenly stopped working properly today

  10. #10
    chandu is offline Elite Member
    Join Date
    Dec 2007
    Posts
    445
    Rep Power
    7

    Default

    No..there is no external authentication for ldap

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 39
    Last Post: 09-04-2012, 11:18 PM
  2. Cant delete mailbox after Upgrade to Zimbra 7.1.3
    By kkimani in forum Administrators
    Replies: 0
    Last Post: 02-13-2012, 04:46 AM
  3. Replies: 210
    Last Post: 01-17-2012, 01:19 AM
  4. server dropped connection
    By ferra in forum Installation
    Replies: 20
    Last Post: 10-06-2008, 04:32 PM
  5. can't you help me
    By iwan siahaan in forum Administrators
    Replies: 6
    Last Post: 12-17-2007, 06:53 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •