+ Post New Thread
Results 1 to 7 of 7
Internet Related/Filtering/Firewall Thread, Security/spam (Linux/Zimbra) in Technical; So after a batch of phishing emails and dealing with the outcomes of people getting click happy on anything that ...
  1. #1

    synaesthesia's Avatar
    Join Date
    Jan 2009
    Location
    Northamptonshire
    Posts
    5,868
    Thank Post
    574
    Thanked 998 Times in 770 Posts
    Blog Entries
    15
    Rep Power
    461

    Security/spam (Linux/Zimbra)

    So after a batch of phishing emails and dealing with the outcomes of people getting click happy on anything that isn't titled "THIS IS NOT REAL DO NOT CLICK", we've had a new one today.

    Zimbra (7). Ubuntu (Old).
    Zimbra admin and SSH connection to server from outside the premises disabled. (tested)
    Yet somehow, an IP address from belarus shows as connected to the server (auth.log), logged in with a non-admin account (no dictionary attack, at least not on that server - one login attempt, succesful) and 99 emails get sent. All we know about it is when this user got a load of non-delivery reports back to her email address. Entirely bypassed Zimbra by the looks of it however it appears to log into the zimbra admin console (but didn't! Could be misreading the logs). Nothing in trash, sent, drafts etc from that user. Zimbra's audit log shows succesful login for that user from the servers IP address (extremely odd).

    Any thoughts on that, places to start? Obviously passwords changed but still can't see how a non admin user could log on from that server.

  2. #2


    Join Date
    Feb 2007
    Location
    Northamptonshire
    Posts
    4,687
    Thank Post
    352
    Thanked 794 Times in 714 Posts
    Rep Power
    346
    Hmm ... interesting one.

    Only thing I could think of if everything is proper locked down is some kind of php/perl shell thing running on the webserver that could get in on loopback/local IP.

    You say a non-admin account, is it an account that is used to run any services on the box itself?

    This has piqued my interest this one ...!

  3. #3

    synaesthesia's Avatar
    Join Date
    Jan 2009
    Location
    Northamptonshire
    Posts
    5,868
    Thank Post
    574
    Thanked 998 Times in 770 Posts
    Blog Entries
    15
    Rep Power
    461
    It's making me think about turning the server off. Found an exploit easy enough that even I can do it. Basically works around SOAP to upload a shell, runs a script to get the LDAP credentials, grab a user & pass and away it goes. So in effect you're not far wrong.
    Time to update (no small feat) or move onto Office 365

  4. #4

    synaesthesia's Avatar
    Join Date
    Jan 2009
    Location
    Northamptonshire
    Posts
    5,868
    Thank Post
    574
    Thanked 998 Times in 770 Posts
    Blog Entries
    15
    Rep Power
    461
    Patched up, hopefully that'll put an end to this but still leaves a question mark over the future. The joys!

  5. #5

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,819
    Thank Post
    873
    Thanked 1,675 Times in 1,458 Posts
    Blog Entries
    12
    Rep Power
    444
    How old is old regarding Ubuntu please?

  6. #6


    Join Date
    Feb 2007
    Location
    Northamptonshire
    Posts
    4,687
    Thank Post
    352
    Thanked 794 Times in 714 Posts
    Rep Power
    346
    Thanks for the update there fella, hopefully you've got it covered up for now.

    I'd imagine the ubuntu updates on current version (assuming LTS) will be safe enough, though the Zimbra side isn't something I've played with in a good few years (though we use it at work though it's third party hosted).

  7. #7


    Join Date
    Feb 2007
    Location
    51.405546, -0.510212
    Posts
    8,749
    Thank Post
    221
    Thanked 2,626 Times in 1,936 Posts
    Rep Power
    778
    Quote Originally Posted by synaesthesia View Post
    still can't see how a non admin user could log on from that server.
    Not sure, but once the attacker is in it's relatively easy for them to gain root privileges via a Linux kernel exploit which was discovered earlier this month (CVE-2014-3153).

    Pinkie Pie discovered an issue in the futex subsystem that allows a local user to gain ring 0 control via the futex syscall. An unprivileged user could use this flaw to crash the kernel (resulting in denial of service) or for privilege escalation. (Source)
    This is the same exploit that George Hotz's TowelRoot app uses to root Android devices (currently very popular with Galaxy S5 owners).

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 2
    Last Post: 20th September 2010, 07:55 PM
  2. Hmmmm F-Secure Spam Box
    By mossj in forum Internet Related/Filtering/Firewall
    Replies: 1
    Last Post: 26th March 2009, 04:15 PM
  3. [Suse] Linux Security Advice Needed
    By Stuarte in forum *nix
    Replies: 14
    Last Post: 23rd January 2009, 04:44 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •