In managing servers sometimes the logs identify an emerging pattern not yet identified in public records.
Detecting traffic from compromised devices all over the globe all using the same username ( npwvpz ) and decided to follow the traffic back to the originating device and identified an edge router/firewall that was available with an unencrypted login interface managed by a well known major vendor on a network run by a well known global cloud/hosting provider.
Contacted both companies.
For those looking to build up AI or pattern-based detection, look for the following:
Ports: 7073, 443
Username: npwvpz
Log keywords: saslauthd : zmpost: url='REDACTED:7073/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for [npwvpz@REDACTED]</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>qtp1151755506-10755:1703589075503:7ce72cf05077383f</Trace></Error></soap:Detail></soap:Faul
t></soap:Body></soap:Envelope>', hti->error=''
- Log in to post comments