[RCU] Security issue (possible?) (was: RE: Unknown user in users table, very odd, possible security hole)

Jorge Bastos mysql.jorge at decimal.pt
Fri Feb 9 10:33:37 CET 2018


Ok, another login just right now:

 

Feb  9 09:25:41 fastweb roundcube: <sm6djv7v> Successful login for
donny at adhigunaputera.com (ID: 100412) from 110.136.11.0 in session
sm6djv7vh6oplo694nff7ng2rp

 

Alec, can you help debugging this?

 

From: users-bounces at lists.roundcube.net
[mailto:users-bounces at lists.roundcube.net] On Behalf Of Jorge Bastos
Sent: 9 de fevereiro de 2018 09:18
To: 'Roundcube Users mailing list' <users at lists.roundcube.net>
Subject: [RCU] Security issue (possible?) (was: RE: Unknown user in users
table, very odd, possible security hole)

 

ALEC!!!!!!!

 

There's some security problem in RC I believe!

 

Check this:

 

Feb  9 01:46:44 fastweb roundcube: <ibj96bvb> Successful login for
donny at adhigunaputera.com <mailto:donny at adhigunaputera.com>  (ID: 100412)
from 110.136.11.0 in session ibj96bvbj5akqlt5slpc47ikfb

 

This user doesn't belong to any of the IMAP accounts, how was he able to
login?

 

After the login, there's some login failed lines:

 

Feb  9 02:47:27 fastweb roundcube: <ibj96bvb> IMAP Error: Login failed for
donny at adhigunaputera.com <mailto:donny at adhigunaputera.com>  from
110.136.11.0. Empty startup greeting (mail.adhigunaputera.com:143) in
/home/hosting/dhosting.pt/webmail/program/lib/Roundcube/rcube_imap.php on
line 196 (POST /webmail/?_task=mail&_action=refresh)

Feb  9 02:48:37 fastweb roundcube: <ibj96bvb> IMAP Error: Login failed for
donny at adhigunaputera.com <mailto:donny at adhigunaputera.com>  from
110.136.11.0. Empty startup greeting (mail.adhigunaputera.com:143) in
/home/hosting/dhosting.pt/webmail/program/lib/Roundcube/rcube_imap.php on
line 196 (POST /webmail/?_task=mail&_action=refresh)

Feb  9 02:49:47 fastweb roundcube: <ibj96bvb> IMAP Error: Login failed for
donny at adhigunaputera.com <mailto:donny at adhigunaputera.com>  from
110.136.11.0. Empty startup greeting (mail.adhigunaputera.com:143) in
/home/hosting/dhosting.pt/webmail/program/lib/Roundcube/rcube_imap.php on
line 196 (POST /webmail/?_task=mail&_action=refresh

 

(funny the IP is the network IP)

 

What's the best place to move forward with investigation with this issue,
here or dev list?

Could you assist me on this?

Thank you in advanced,

 

From: users-bounces at lists.roundcube.net
<mailto:users-bounces at lists.roundcube.net>
[mailto:users-bounces at lists.roundcube.net] On Behalf Of Hannu Hirvonen
Sent: 8 de fevereiro de 2018 20:43
To: users at lists.roundcube.net <mailto:users at lists.roundcube.net> 
Subject: Re: [RCU] Unknown user in users table, very odd, possible security
hole

 

On 08.02.2018 22:34, Jorge Bastos wrote:

Not in there but you made me remind about:

// Log successful/failed logins to <log_dir>/userlogins or to syslog

That's why I said "something like ...", might have been a bit clearer, of
course :-)

-- 
  Hannu Hirvonen (hh at uwasa.fi <mailto:hh at uwasa.fi> ,
http://www.uwasa.fi/~hh/)
  Computer Centre, University of Vaasa, BOX 700, FI-65101 VAASA, Finland
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.roundcube.net/pipermail/users/attachments/20180209/d84e0696/attachment.html>


More information about the users mailing list