two hundred wrote:
Greetings,
My apologies for the "hit & run" but why are hackers looking for roundcube on our server ? I'm not concerned about our system per se, my question is what attracts hackers to roundcube ?
Thanks,
93.190.138.51 - - [31/Mar/2009:04:25:34 -0400] "GET /roundcube/CHANGELOG HTTP/1.1" 404 1012 93.190.138.51 - - [31/Mar/2009:04:25:34 -0400] "GET /mail/CHANGELOG HTTP/1.1" 404 997 93.190.138.51 - - [31/Mar/2009:04:25:34 -0400] "GET /webmail/CHANGELOG HTTP/1.1" 404 1006 93.190.138.51 - - [31/Mar/2009:04:25:34 -0400] "GET /roundcubemail/CHANGELOG HTTP/1.1" 404 1024 93.190.138.51 - - [31/Mar/2009:04:25:34 -0400] "GET /rcmail/CHANGELOG HTTP/1.1" 404 1003 93.190.138.51 - - [31/Mar/2009:04:25:35 -0400] "GET //CHANGELOG HTTP/1.1" 404 985 93.190.138.51 - - [31/Mar/2009:04:25:35 -0400] "GET /rc/CHANGELOG HTTP/1.1" 404 991 93.190.138.51 - - [31/Mar/2009:04:25:35 -0400] "GET /email/CHANGELOG HTTP/1.1" 404 1000 93.190.138.51 - - [31/Mar/2009:04:25:35 -0400] "GET /mail2/CHANGELOG HTTP/1.1" 404 1000 93.190.138.51 - - [31/Mar/2009:04:25:35 -0400] "GET /Webmail/CHANGELOG HTTP/1.1" 404 1006 93.190.138.51 - - [31/Mar/2009:04:25:36 -0400] "GET /components/com_roundcube/CHANGELOG HTTP/1.1" 404 1057 93.190.138.51 - - [31/Mar/2009:04:25:36 -0400] "GET /squirrelmail/CHANGELOG HTTP/1.1" 404 1021 93.190.138.51 - - [31/Mar/2009:04:25:36 -0400] "GET /vhcs2/tools/webmail/CHANGELOG HTTP/1.1" 404 1042 93.190.138.51 - - [31/Mar/2009:04:25:36 -0400] "GET /round/CHANGELOG HTTP/1.1" 404 1000
195.207.15.79 - - [04/Apr/2009:05:14:18 -0400] "GET /roundcube/CHANGELOG HTTP/1.1" 404 1012 195.207.15.79 - - [04/Apr/2009:05:14:18 -0400] "GET /mail/CHANGELOG HTTP/1.1" 404 997 195.207.15.79 - - [04/Apr/2009:05:14:18 -0400] "GET /webmail/CHANGELOG HTTP/1.1" 404 1006 195.207.15.79 - - [04/Apr/2009:05:14:18 -0400] "GET /roundcubemail/CHANGELOG HTTP/1.1" 404 1024 195.207.15.79 - - [04/Apr/2009:05:14:18 -0400] "GET /rcmail/CHANGELOG HTTP/1.1" 404 1003 195.207.15.79 - - [04/Apr/2009:05:14:19 -0400] "GET //CHANGELOG HTTP/1.1" 404 985 195.207.15.79 - - [04/Apr/2009:05:14:19 -0400] "GET /rc/CHANGELOG HTTP/1.1" 404 991 195.207.15.79 - - [04/Apr/2009:05:14:19 -0400] "GET /email/CHANGELOG HTTP/1.1" 404 1000 195.207.15.79 - - [04/Apr/2009:05:14:19 -0400] "GET /mail2/CHANGELOG HTTP/1.1" 404 1000 195.207.15.79 - - [04/Apr/2009:05:14:19 -0400] "GET /Webmail/CHANGELOG HTTP/1.1" 404 1006 195.207.15.79 - - [04/Apr/2009:05:14:20 -0400] "GET /components/com_roundcube/CHANGELOG HTTP/1.1" 404 1057 195.207.15.79 - - [04/Apr/2009:05:14:20 -0400] "GET /squirrelmail/CHANGELOG HTTP/1.1" 404 1021 195.207.15.79 - - [04/Apr/2009:05:14:20 -0400] "GET /vhcs2/tools/webmail/CHANGELOG HTTP/1.1" 404 1042 195.207.15.79 - - [04/Apr/2009:05:14:20 -0400] "GET /round/CHANGELOG HTTP/1.1" 404 1000
209.160.64.61 - - [05/Apr/2009:20:36:02 -0400] "GET /roundcube/CHANGELOG HTTP/1.1" 404 1012 209.160.64.61 - - [05/Apr/2009:20:36:02 -0400] "GET /mail/CHANGELOG HTTP/1.1" 404 997 209.160.64.61 - - [05/Apr/2009:20:36:02 -0400] "GET /webmail/CHANGELOG HTTP/1.1" 404 1006 209.160.64.61 - - [05/Apr/2009:20:36:02 -0400] "GET /roundcubemail/CHANGELOG HTTP/1.1" 404 1024 209.160.64.61 - - [05/Apr/2009:20:36:02 -0400] "GET /rcmail/CHANGELOG HTTP/1.1" 404 1003 209.160.64.61 - - [05/Apr/2009:20:36:02 -0400] "GET //CHANGELOG HTTP/1.1" 404 985 209.160.64.61 - - [05/Apr/2009:20:36:02 -0400] "GET /rc/CHANGELOG HTTP/1.1" 404 991 209.160.64.61 - - [05/Apr/2009:20:36:02 -0400] "GET /email/CHANGELOG HTTP/1.1" 404 1000 209.160.64.61 - - [05/Apr/2009:20:36:02 -0400] "GET /mail2/CHANGELOG HTTP/1.1" 404 1000 209.160.64.61 - - [05/Apr/2009:20:36:02 -0400] "GET /Webmail/CHANGELOG HTTP/1.1" 404 1006 209.160.64.61 - - [05/Apr/2009:20:36:02 -0400] "GET /components/com_roundcube/CHANGELOG HTTP/1.1" 404 1057 209.160.64.61 - - [05/Apr/2009:20:36:03 -0400] "GET /squirrelmail/CHANGELOG HTTP/1.1" 404 1021 209.160.64.61 - - [05/Apr/2009:20:36:03 -0400] "GET /vhcs2/tools/webmail/CHANGELOG HTTP/1.1" 404 1042 209.160.64.61 - - [05/Apr/2009:20:36:03 -0400] "GET /round/CHANGELOG HTTP/1.1" 404 1000
It seems my users have same issue, and OS (centos 5.x) was hacked. Their roundcube is 0.1.1-stable.