Houps, forgot to mail the list
PS: Fail2ban seem to be very busy today...
173.45.68.130 - - [09/Jan/2009:14:37:38 +0100] "GET /nonexistenshit HTTP/1.1" 404 274 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5" 173.45.68.130 - - [09/Jan/2009:14:37:38 +0100] "GET /mail/bin/msgimport HTTP/1.1" 404 278 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5" 173.45.68.130 - - [09/Jan/2009:14:37:38 +0100] "GET /bin/msgimport HTTP/1.1" 404 273 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5" 173.45.68.130 - - [09/Jan/2009:14:37:38 +0100] "GET /rc/bin/msgimport HTTP/1.1" 404 276 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5" 173.45.68.130 - - [09/Jan/2009:14:37:38 +0100] "GET /roundcube/bin/msgimport HTTP/1.1" 404 283 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5" 173.45.68.130 - - [09/Jan/2009:14:37:38 +0100] "GET /webmail/bin/msgimport HTTP/1.1" 404 281 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
etc...
Maybe msgimport is used to test html2text.php presence ?
It's a shell script. Websevers won't execute it but simply return the content as it's was a simple text file.. no ?
Regards,
On Fri, 09 Jan 2009 15:35:44 +0200, Gokdeniz Karadag gokdenizk@gmail.com wrote:
There have been reports regarding botnet scans for msgimport.sh The file should be investigated for security breaches.
the preg_replace at get_opt seems fishy but I was not able to inject commands to it.
http://stateofsecurity.com/?p=550 http://isc.sans.org/diary.html?storyid=5599&rss
http://www.linode.com/forums/archive/o_t/t_3796/roundcube_webmail_scanning.h...
http://zastita.com/015038/roundcube-webmail-.html _______________________________________________ List info: http://lists.roundcube.net/dev/