My Zimbra got exploited ?

**samuel sapp** · 09-12-2012, 01:14 AM

Hi All,
some out there is trying to crack (IMHO) my zimbra, I already search the forum and got Account Lockout: How to find IP address of soap - AuthRequest

but it I can't any solution in there
I already track the log, but only the zimbra IP address (my own machine), and add to my confuse is, I'm not open my zimbra administration port to the public.

and here's my log

Code:

AUDIT.LOG
2012-09-12 07:38:09,642 WARN  [btpool0-396://ns1-mailserver.kantor.co.id:7071/service/admin/soap/] [name=user@kantor.co.id;ip=192.168.101.99;] security - cmd=Auth;
account=user@kantor.co.id; protocol=soap; error=authentication failed for user@kantor.co.id, invalid password;
2012-09-12 07:38:10,694 WARN  [btpool0-396://ns1-mailserver.kantor.co.id:7071/service/admin/soap/] [name=user@kantor.co.id;ip=192.168.101.99;] security - cmd=Auth; account=user@kantor.co.id; protocol=soap; error=authentication failed for user@kantor.co.id, invalid password;
2012-09-12 07:38:11,685 WARN  [btpool0-396://ns1-mailserver.kantor.co.id:7071/service/admin/soap/] [name=user@kantor.co.id;ip=192.168.101.99;] security - cmd=Auth; account=user@kantor.co.id; protocol=soap; error=authentication failed for user@kantor.co.id, invalid password;

Code:

MAILBOX.LOG
[btpool0-396://ns1-mailserver.kantor.co.id:7071/service/admin/soap/] [ip=192.168.101.99;] soap - AuthRequest
2012-09-12 07:38:10,694 INFO  [btpool0-396://ns1-mailserver.kantor.co.id:7071/service/admin/soap/] [name=user@kantor.co.id;ip=192.168.101.99;] SoapEngine - handler exception: authentication failed for user@kantor.co.id, invalid password
2012-09-12 07:38:10,696 WARN  [btpool0-396] [] log - SSL renegotiate denied: java.nio.channels.SocketChannel[connected local=/192.168.101.99:7071 remote=/192.168.101.99:54921]
2012-09-12 07:38:11,537 INFO  [btpool0-396://ns1-mailserver.kantor.co.id:7071/service/admin/soap/] [ip=192.168.101.99;] soap - AuthRequest
2012-09-12 07:38:11,686 INFO  [btpool0-396://ns1-mailserver.kantor.co.id:7071/service/admin/soap/] [name=user@kantor.co.id;ip=192.168.101.99;] SoapEngine - handler exception: authentication failed for user@kantor.co.id, invalid password
2012-09-12 07:38:11,688 WARN  [btpool0-396] [] log - SSL renegotiate denied: java.nio.channels.SocketChannel[connected local=/192.168.101.99:7071 remote=/192.168.101.99

Code:

Jetty log access_log.2012-09-12
192.168.101.99 -  -  [12/Sep/2012:07:07:38 +0000] "POST /service/admin/soap/ HTTP/1.1" 500 3868 "-" "-"

My question is

1.Is there a way for me to figure the attacker IP address
2.What kind of kind of crack the hacker trying in my zimbra
3. If I upgrade my zimbra would this problem disappear

that's all from me thank you very much for you answer

**Paul Csiki** · 09-12-2012, 02:32 AM

1. On the first look it seems that his ip is: ip=192.168.101.99;
2. Also the kind of attack is bruteforce or dictionary attack by the way it looks.
3. No

Don't worry, we have millions of attacks like this on our servers and we are just fine, zimbra will automagically block the account to prevent the password being bruteforced and our engineers just filter our the IP addresses in iptables once in a while.

**samuel sapp** · 09-12-2012, 05:46 PM

hi thank for your reply,
the ip is my own zimbra machine, that's why I cannot figure out what is the actual attacker ip address, actually this kind of attacking is annoying, user often complaining about the account being lock.

Can you share with us how is your engineer figure it out to find out the attacker IP address when this kind of attack occurs in your machine, or the method your engineer using

thank you very much for your answer

**Paul Csiki** · 09-13-2012, 12:34 AM

I have asked them and here is the their answer:

You can get the real IP address from audit log:

2012-09-13 02:47:00,396 WARN [Pop3Server-39] [ip=116.255.247.226;] security - cmd=Auth; account=admin@mydomain.it; protocol=pop3; error=authentication failed for [root], account lockout;

I have no idea why your mailbox server logs the login commands from the local IP address. Are you sure your server box is secure from other intrusions, like ssh?

**vizapata** · 10-19-2012, 02:13 PM

Originally Posted by Paul Csiki

zimbra will automagically block the account to prevent the password being bruteforced

Is that true? 'cause I'm looking for something like that. By now.... I did the following:

1: Lock the user account after 3 bad logon tries
2: Look in the audit.log for the remote ip address and lock (manually) that IP address through iptables

But I want too find a way to "automagically" lock these Ip addresses.

Thanks

**ccelis5215** · 10-19-2012, 04:04 PM

Originally Posted by vizapata

Is that true? 'cause I'm looking for something like that. By now.... I did the following:

1: Lock the user account after 3 bad logon tries
2: Look in the audit.log for the remote ip address and lock (manually) that IP address through iptables

But I want too find a way to "automagically" lock these Ip addresses.

Thanks

Hello Victor, there's no "automagically lock". Paul excuse me if sounds rude

Following the basics, i mean, using https, strong passwords and educating users about security eg phishing, you could be "safe".

Regarding block manually through iptables, you have to know yet... it's a never ending work.

Also, you surely know about RBL's.

ccelis

**justdave** · 10-19-2012, 08:27 PM

Originally Posted by ccelis5215

Hello Victor, there's no "automagically lock".

That's not quite true. There's nothing provided by Zimbra, but there are third-party tools that'll do it. You probably want to look into something like fail2ban or denyhosts. I know you can create user-defined rules in fail2ban for what logfiles to read and what patterns to match in them to determine an IP to block. You can also configure how to do the blocking (add to /etc/hosts.deny, block the IP in iptables, run some arbitrary script that does something else you want, etc).

Trying to explain how to use those tools is probably beyond the scope here... they have their own communities where questions can be asked.

**Paul Csiki** · 10-20-2012, 01:32 AM

Hello,

Well on my zimbra installation if a user tries too many passwords over an account, that account gets lockout. Correct me if I'm wrong.

**justdave** · 10-20-2012, 01:43 AM

Originally Posted by Paul Csiki

Well on my zimbra installation if a user tries too many passwords over an account, that account gets lockout. Correct me if I'm wrong.

And that's exactly why he has an issue (from what I'm understanding of his complaint here so far). His real users are getting locked out because someone is trying to brute-force their accounts. So he needs to block the IP addresses of the brute force attack so his real users can log in.

**ccelis5215** · 10-20-2012, 07:49 PM

Originally Posted by justdave

And that's exactly why he has an issue (from what I'm understanding of his complaint here so far). His real users are getting locked out because someone is trying to brute-force their accounts. So he needs to block the IP addresses of the brute force attack so his real users can log in.

Justdave, thanks for yours clarifycations!.

ccelis

Zimbra

Thread: My Zimbra got exploited ?

LinkBack

Thread Tools

Search Thread

Display

My Zimbra got exploited ?

Thread Information

Users Browsing this Thread

Similar Threads

Is my server being exploited?

Posting Permissions