Internet Related/Filtering/Firewall Thread, Security/spam (Linux/Zimbra) in Technical; So after a batch of phishing emails and dealing with the outcomes of people getting click happy on anything that ...
So after a batch of phishing emails and dealing with the outcomes of people getting click happy on anything that isn't titled "THIS IS NOT REAL DO NOT CLICK", we've had a new one today.
Zimbra (7). Ubuntu (Old).
Zimbra admin and SSH connection to server from outside the premises disabled. (tested)
Yet somehow, an IP address from belarus shows as connected to the server (auth.log), logged in with a non-admin account (no dictionary attack, at least not on that server - one login attempt, succesful) and 99 emails get sent. All we know about it is when this user got a load of non-delivery reports back to her email address. Entirely bypassed Zimbra by the looks of it however it appears to log into the zimbra admin console (but didn't! Could be misreading the logs). Nothing in trash, sent, drafts etc from that user. Zimbra's audit log shows succesful login for that user from the servers IP address (extremely odd).
Any thoughts on that, places to start? Obviously passwords changed but still can't see how a non admin user could log on from that server.
It's making me think about turning the server off. Found an exploit easy enough that even I can do it. Basically works around SOAP to upload a shell, runs a script to get the LDAP credentials, grab a user & pass and away it goes. So in effect you're not far wrong.
Time to update (no small feat) or move onto Office 365
Thanks for the update there fella, hopefully you've got it covered up for now.
I'd imagine the ubuntu updates on current version (assuming LTS) will be safe enough, though the Zimbra side isn't something I've played with in a good few years (though we use it at work though it's third party hosted).
still can't see how a non admin user could log on from that server.
Not sure, but once the attacker is in it's relatively easy for them to gain root privileges via a Linux kernel exploit which was discovered earlier this month (CVE-2014-3153).
Pinkie Pie discovered an issue in the futex subsystem that allows a local user to gain ring 0 control via the futex syscall. An unprivileged user could use this flaw to crash the kernel (resulting in denial of service) or for privilege escalation. (Source)
This is the same exploit that George Hotz's TowelRoot app uses to root Android devices (currently very popular with Galaxy S5 owners).