Results 1 to 10 of 10

Thread: Identify compromised accounts

  1. #1
    MobiusNZ is offline Special Member
    Join Date
    Sep 2007
    Location
    Aoteroa
    Posts
    127
    Rep Power
    7

    Default Identify compromised accounts

    Hi,

    We've had a customer who's zimbra server has been sending out spam. We eventually found it was an account that had its password guessed/compromised and were able to fix it by changing the password.

    However, finding the account was trickier than I would've expected. It was sending via authenticated smtp, but using a different FROM address.

    Is there any easy way to identify which authenticated account is used to send a particular email?

  2. #2
    quanah is offline Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,196
    Rep Power
    9

    Default

    The account sending an email is logged in /var/log/zimbra.log:

    For example, on ZCS8.0.4:
    Code:
    Jun 24 11:58:06 edge01-zcs postfix/smtps/smtpd[30581]: 72E91EB2: client=FQDN[IP], sasl_method=PLAIN, sasl_username=user@domain
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  3. #3
    quanah is offline Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,196
    Rep Power
    9

    Default

    There some additional information logged when persistent authenticated connections are used as well, but I don't have that in front of me atm.
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  4. #4
    pyperdown is offline Active Member
    Join Date
    Dec 2005
    Posts
    28
    Rep Power
    9

    Default

    I'm giving this script i wrote this am a try. The system needs to be able to protect itself from obvious abuse. More than 5 authenticated sessions in a minute is likely evidence of abuse. So once identified we lock the account. Since they most likely fell for a phishing mail and should know better I'm not real concerned about sending them notice. they can call me when they can't get into their account. No, I'm not bitter or anything.

    UPDATE: I added a pipe through sed to remove multiple spaces from the log entries as it was throwing off the awk column numbers, as well as only modifying active accounts.



    #!/bin/bash
    # checks log file and gets a count of authentications sent per minute, per user
    # and if the count exceeds the maxmails value the user's account is locked.

    logfile="/var/log/zimbra.log"
    maxmails="10"
    mydomain="example.com"
    support="techsupport@$mydomain"
    accounts="/tmp/active_accounts"

    su zimbra -c "/opt/zimbra/bin/zmaccts" | grep "@" | grep active | awk '{print $1}' > $accounts

    zgrep -i "auth ok" $logfile | sed 's/ / /g' | awk -F"[ :]" '{print $3":"$4,$11;}' | uniq -c | sort -n | \
    while read line
    do
    count=`echo ${line} | cut -d' ' -f 1`
    userid=`echo ${line} | cut -d' ' -f 3`
    timestamp=`echo ${line} | cut -d' ' -f 2`
    active=`grep "$userid@$mydomain" $accounts`

    if [ "$count" -gt "$maxmails" ] && [ "$active" == "$userid@$mydomain" ]; then
    echo "Maximum email rate exceeded, $userid@$mydomain will be locked"
    su zimbra -c "/opt/zimbra/bin/zmprov ma $userid@$mydomain zimbraAccountStatus locked"
    subject="$userid account locked due to excessive connections"
    # Email text/message
    message="/tmp/emailmessage.txt"
    echo "$userid account has been locked as there were $count connections made at"> $message
    echo "$timestamp. Please have the user change their password, and check for phishing" >>$message
    echo "emails if possible." >>$message
    # send an email using /bin/mail
    /usr/bin/mail -s "$subject" "$support" < $message
    rm -f $message

    #update list of active accounts
    su zimbra -c "/opt/zimbra/bin/zmaccts" | grep "@" | grep active | awk '{print $1}' > $accounts
    fi
    done

    rm -f $accounts
    Last edited by pyperdown; 07-10-2013 at 11:41 AM. Reason: Updated to check only active accounts, trim repeated spaces from log entries prior to parsing

  5. #5
    MobiusNZ is offline Special Member
    Join Date
    Sep 2007
    Location
    Aoteroa
    Posts
    127
    Rep Power
    7

    Default

    Thanks guys, that helps a lot. That script looks especially useful.

    Cheers, Al

  6. #6
    pyperdown is offline Active Member
    Join Date
    Dec 2005
    Posts
    28
    Rep Power
    9

    Default

    I modded the script to only lock active accounts. runs a bit faster. Otherwise there tend to be a lot of hits and redundant notification emails, and the zmprov ma command is pretty slooooooow.

  7. #7
    drwho18 is offline Senior Member
    Join Date
    May 2007
    Posts
    63
    Rep Power
    7

    Default

    The script posted above is a good idea, however it doesn't really stop an in process attack (at least on my Zimbra setup). It checks for "auth ok" of which I tend to see a few, the spammer appears to hold smtp open and I see each send tagged with a "sasl_username" in the logs, checking the message ID out I see it was a new message with fresh recipients. I have modded the script to check for sasl_username, as I think that is more relevant to trip off a spam notice, however locking the account does not stop said account from continuing to spam through the server. If it tries to come in from a new IP it will try to reauth and fail fine, but I believe it will continue to function untl the SMTP session is stopped, by which time a lot of damage can be done to a mail servers reputation. Any ideas how to stop this, or reduce the max SMTP session time or something would be the way to go. I wish every sasl_username request was an actual auth attemp, maybe saslauthd is caching by default on zimbra?

  8. #8
    quanah is offline Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,196
    Rep Power
    9

    Default

    This has nothing to do with sasl auth attempts, but more funky logging. What the spammers do is create a persistent SMTP session. However, postfix logs that sasl auth is OK every time they send a message, even though no *new* sasl authentication is happening. I.e., this is kind of a bug in postfix logging. The only way to close their connection is to bounce postfix.
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  9. #9
    drwho18 is offline Senior Member
    Join Date
    May 2007
    Posts
    63
    Rep Power
    7

    Default

    Ok, well I kind of feared that. Does it need to be a complete postfix restart, or will a reload do the trick?

  10. #10
    Klug's Avatar
    Klug is offline Moderator
    Join Date
    Mar 2006
    Location
    Beaucaire, France
    Posts
    2,292
    Rep Power
    13

    Default

    I rewrote the above script to search for sasl_username in the log and lock according to it.
    Code:
    #!/bin/bash
    # checks log file and gets a count of authentications sent per minute, per user
    # and if the count exceeds the maxmails value the user's account is locked.
    
    logfile="/var/log/zimbra.log"
    maxmails="5"
    mydomain="domain.tld"
    support="support@$mydomain"
    accounts="/tmp/active_accounts"
    
    su - zimbra -c "/opt/zimbra/bin/zmaccts" | grep "@" | grep active | awk '{print $1}' > $accounts
    
    zgrep -i "sasl_method=LOGIN, sasl_username" $logfile | sed 's/  / /g' | awk -F"[ :]" '{print $3":"$4,$13;}' | sed 's/sasl_username=//g' | sort | uniq -c | sort -n | \
    while read line
    do
    count=`echo ${line} | cut -d' ' -f 1`
    userid=`echo ${line} | cut -d' ' -f 3`
    timestamp=`echo ${line} | cut -d' ' -f 2`
    active=`grep "$userid@$mydomain" $accounts`
    
    if [ "$count" -gt "$maxmails" ] && [ "$active" == "$userid@$mydomain" ]; then
    echo "Maximum email rate exceeded, $userid@$mydomain will be locked"
    #su - zimbra -c "/opt/zimbra/bin/zmprov ma $userid@$mydomain zimbraAccountStatus locked"
    subject="$userid account locked due to excessive connections"
    # Email text/message
    message="/tmp/emailmessage.txt"
    echo "$userid account has been locked as there were $count connections made at"> $message
    echo "$timestamp. Please have the user change their password, and check for phishing" >>$message
    echo "emails if possible." >>$message# send an email using /bin/mail
    /bin/mail -s "$subject" "$support" < $message
    rm -f $message
    
    #update list of active accounts
    su - zimbra -c "/opt/zimbra/bin/zmaccts" | grep "@" | grep active | awk '{print $1}' > $accounts
    fi
    done
    
    rm -f $accounts
    postfix restart

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. compromised accounts issue
    By padraig in forum Administrators
    Replies: 4
    Last Post: 08-06-2013, 05:59 PM
  2. Accounts compromised - changed forwarding
    By blueflametuna in forum Administrators
    Replies: 10
    Last Post: 02-08-2011, 02:21 PM
  3. Identify Which ZDB for Each User?
    By Chewie71 in forum Zimbra Connector for BlackBerry
    Replies: 2
    Last Post: 05-04-2009, 12:38 PM
  4. Help with compromised accounts
    By Userx in forum Zimbra in Education
    Replies: 10
    Last Post: 05-03-2009, 12:11 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •