Greetings,
My apologies for the "hit & run" but why are hackers looking for roundcube on our server ? I'm not concerned about our system per se, my question is what attracts hackers to roundcube ?
Thanks,
93.190.138.51 - - [31/Mar/2009:04:25:34 -0400] "GET /roundcube/CHANGELOG HTTP/1.1" 404 1012 93.190.138.51 - - [31/Mar/2009:04:25:34 -0400] "GET /mail/CHANGELOG HTTP/1.1" 404 997 93.190.138.51 - - [31/Mar/2009:04:25:34 -0400] "GET /webmail/CHANGELOG HTTP/1.1" 404 1006 93.190.138.51 - - [31/Mar/2009:04:25:34 -0400] "GET /roundcubemail/CHANGELOG HTTP/1.1" 404 1024 93.190.138.51 - - [31/Mar/2009:04:25:34 -0400] "GET /rcmail/CHANGELOG HTTP/1.1" 404 1003 93.190.138.51 - - [31/Mar/2009:04:25:35 -0400] "GET //CHANGELOG HTTP/1.1" 404 985 93.190.138.51 - - [31/Mar/2009:04:25:35 -0400] "GET /rc/CHANGELOG HTTP/1.1" 404 991 93.190.138.51 - - [31/Mar/2009:04:25:35 -0400] "GET /email/CHANGELOG HTTP/1.1" 404 1000 93.190.138.51 - - [31/Mar/2009:04:25:35 -0400] "GET /mail2/CHANGELOG HTTP/1.1" 404 1000 93.190.138.51 - - [31/Mar/2009:04:25:35 -0400] "GET /Webmail/CHANGELOG HTTP/1.1" 404 1006 93.190.138.51 - - [31/Mar/2009:04:25:36 -0400] "GET /components/com_roundcube/CHANGELOG HTTP/1.1" 404 1057 93.190.138.51 - - [31/Mar/2009:04:25:36 -0400] "GET /squirrelmail/CHANGELOG HTTP/1.1" 404 1021 93.190.138.51 - - [31/Mar/2009:04:25:36 -0400] "GET /vhcs2/tools/webmail/CHANGELOG HTTP/1.1" 404 1042 93.190.138.51 - - [31/Mar/2009:04:25:36 -0400] "GET /round/CHANGELOG HTTP/1.1" 404 1000
195.207.15.79 - - [04/Apr/2009:05:14:18 -0400] "GET /roundcube/CHANGELOG HTTP/1.1" 404 1012 195.207.15.79 - - [04/Apr/2009:05:14:18 -0400] "GET /mail/CHANGELOG HTTP/1.1" 404 997 195.207.15.79 - - [04/Apr/2009:05:14:18 -0400] "GET /webmail/CHANGELOG HTTP/1.1" 404 1006 195.207.15.79 - - [04/Apr/2009:05:14:18 -0400] "GET /roundcubemail/CHANGELOG HTTP/1.1" 404 1024 195.207.15.79 - - [04/Apr/2009:05:14:18 -0400] "GET /rcmail/CHANGELOG HTTP/1.1" 404 1003 195.207.15.79 - - [04/Apr/2009:05:14:19 -0400] "GET //CHANGELOG HTTP/1.1" 404 985 195.207.15.79 - - [04/Apr/2009:05:14:19 -0400] "GET /rc/CHANGELOG HTTP/1.1" 404 991 195.207.15.79 - - [04/Apr/2009:05:14:19 -0400] "GET /email/CHANGELOG HTTP/1.1" 404 1000 195.207.15.79 - - [04/Apr/2009:05:14:19 -0400] "GET /mail2/CHANGELOG HTTP/1.1" 404 1000 195.207.15.79 - - [04/Apr/2009:05:14:19 -0400] "GET /Webmail/CHANGELOG HTTP/1.1" 404 1006 195.207.15.79 - - [04/Apr/2009:05:14:20 -0400] "GET /components/com_roundcube/CHANGELOG HTTP/1.1" 404 1057 195.207.15.79 - - [04/Apr/2009:05:14:20 -0400] "GET /squirrelmail/CHANGELOG HTTP/1.1" 404 1021 195.207.15.79 - - [04/Apr/2009:05:14:20 -0400] "GET /vhcs2/tools/webmail/CHANGELOG HTTP/1.1" 404 1042 195.207.15.79 - - [04/Apr/2009:05:14:20 -0400] "GET /round/CHANGELOG HTTP/1.1" 404 1000
209.160.64.61 - - [05/Apr/2009:20:36:02 -0400] "GET /roundcube/CHANGELOG HTTP/1.1" 404 1012 209.160.64.61 - - [05/Apr/2009:20:36:02 -0400] "GET /mail/CHANGELOG HTTP/1.1" 404 997 209.160.64.61 - - [05/Apr/2009:20:36:02 -0400] "GET /webmail/CHANGELOG HTTP/1.1" 404 1006 209.160.64.61 - - [05/Apr/2009:20:36:02 -0400] "GET /roundcubemail/CHANGELOG HTTP/1.1" 404 1024 209.160.64.61 - - [05/Apr/2009:20:36:02 -0400] "GET /rcmail/CHANGELOG HTTP/1.1" 404 1003 209.160.64.61 - - [05/Apr/2009:20:36:02 -0400] "GET //CHANGELOG HTTP/1.1" 404 985 209.160.64.61 - - [05/Apr/2009:20:36:02 -0400] "GET /rc/CHANGELOG HTTP/1.1" 404 991 209.160.64.61 - - [05/Apr/2009:20:36:02 -0400] "GET /email/CHANGELOG HTTP/1.1" 404 1000 209.160.64.61 - - [05/Apr/2009:20:36:02 -0400] "GET /mail2/CHANGELOG HTTP/1.1" 404 1000 209.160.64.61 - - [05/Apr/2009:20:36:02 -0400] "GET /Webmail/CHANGELOG HTTP/1.1" 404 1006 209.160.64.61 - - [05/Apr/2009:20:36:02 -0400] "GET /components/com_roundcube/CHANGELOG HTTP/1.1" 404 1057 209.160.64.61 - - [05/Apr/2009:20:36:03 -0400] "GET /squirrelmail/CHANGELOG HTTP/1.1" 404 1021 209.160.64.61 - - [05/Apr/2009:20:36:03 -0400] "GET /vhcs2/tools/webmail/CHANGELOG HTTP/1.1" 404 1042 209.160.64.61 - - [05/Apr/2009:20:36:03 -0400] "GET /round/CHANGELOG HTTP/1.1" 404 1000
List info: http://lists.roundcube.net/dev/
More slop from the logs:
91.121.1.29 - - [25/Mar/2009:05:16:06 -0400] "GET /program/js/list.js HTTP/1.1" 404 1009 91.121.1.29 - - [25/Mar/2009:05:16:06 -0400] "GET /rc/program/js/list.js HTTP/1.1" 404 1018 91.121.1.29 - - [25/Mar/2009:05:16:06 -0400] "GET /roundcube/program/js/list.js HTTP/1.1" 404 1039 91.121.1.29 - - [25/Mar/2009:05:16:06 -0400] "GET /roundcube-0.1/program/js/list.js HTTP/1.1" 404 1051 91.121.1.29 - - [25/Mar/2009:05:16:07 -0400] "GET /roundcube-0.1.1/program/js/list.js HTTP/1.1" 404 1057 91.121.1.29 - - [25/Mar/2009:05:16:07 -0400] "GET /roundcubemail/program/js/list.js HTTP/1.1" 404 1051 91.121.1.29 - - [25/Mar/2009:05:16:07 -0400] "GET /roundcubemail-0.1/program/js/list.js HTTP/1.1" 404 1063 91.121.1.29 - - [25/Mar/2009:05:16:07 -0400] "GET /roundcubemail-0.1.1/program/js/list.js HTTP/1.1" 404 1069 91.121.1.29 - - [25/Mar/2009:05:16:08 -0400] "GET /cube/program/js/list.js HTTP/1.1" 404 1024 91.121.1.29 - - [25/Mar/2009:05:16:08 -0400] "GET /mail/program/js/list.js HTTP/1.1" 404 1024 91.121.1.29 - - [25/Mar/2009:05:16:08 -0400] "GET /mail2/program/js/list.js HTTP/1.1" 404 1027 91.121.1.29 - - [25/Mar/2009:05:16:08 -0400] "GET /webmail/program/js/list.js HTTP/1.1" 404 1033 91.121.1.29 - - [25/Mar/2009:05:16:09 -0400] "GET /email/program/js/list.js HTTP/1.1" 404 1027
61.19.248.73 - - [06/Apr/2009:05:28:59 -0400] "GET /roundcube/CHANGELOG HTTP/1.1" 404 1012 61.19.248.73 - - [06/Apr/2009:05:28:59 -0400] "GET /mail/CHANGELOG HTTP/1.1" 404 997 61.19.248.73 - - [06/Apr/2009:05:29:00 -0400] "GET /webmail/CHANGELOG HTTP/1.1" 404 1006 61.19.248.73 - - [06/Apr/2009:05:29:00 -0400] "GET /roundcubemail/CHANGELOG HTTP/1.1" 404 1024 61.19.248.73 - - [06/Apr/2009:05:29:01 -0400] "GET /rcmail/CHANGELOG HTTP/1.1" 404 1003 61.19.248.73 - - [06/Apr/2009:05:29:01 -0400] "GET //CHANGELOG HTTP/1.1" 404 985 61.19.248.73 - - [06/Apr/2009:05:29:02 -0400] "GET /rc/CHANGELOG HTTP/1.1" 404 991 61.19.248.73 - - [06/Apr/2009:05:29:02 -0400] "GET /email/CHANGELOG HTTP/1.1" 404 1000 61.19.248.73 - - [06/Apr/2009:05:29:03 -0400] "GET /mail2/CHANGELOG HTTP/1.1" 404 1000 61.19.248.73 - - [06/Apr/2009:05:29:03 -0400] "GET /Webmail/CHANGELOG HTTP/1.1" 404 1006 61.19.248.73 - - [06/Apr/2009:05:29:04 -0400] "GET /components/com_roundcube/CHANGELOG HTTP/1.1" 404 1057 61.19.248.73 - - [06/Apr/2009:05:29:04 -0400] "GET /squirrelmail/CHANGELOG HTTP/1.1" 404 1021 61.19.248.73 - - [06/Apr/2009:05:29:05 -0400] "GET /vhcs2/tools/webmail/CHANGELOG HTTP/1.1" 404 1042 61.19.248.73 - - [06/Apr/2009:05:29:05 -0400] "GET /round/CHANGELOG HTTP/1.1" 404 1000
On Mon, Apr 6, 2009 at 10:23 AM, two hundred two100years@gmail.com wrote:
Greetings,
My apologies for the "hit & run" but why are hackers looking for roundcube on our server ? I'm not concerned about our system per se, my question is what attracts hackers to roundcube ?
Thanks,
93.190.138.51 - - [31/Mar/2009:04:25:34 -0400] "GET /roundcube/CHANGELOG HTTP/1.1" 404 1012 93.190.138.51 - - [31/Mar/2009:04:25:34 -0400] "GET /mail/CHANGELOG HTTP/1.1" 404 997 93.190.138.51 - - [31/Mar/2009:04:25:34 -0400] "GET /webmail/CHANGELOG HTTP/1.1" 404 1006 93.190.138.51 - - [31/Mar/2009:04:25:34 -0400] "GET /roundcubemail/CHANGELOG HTTP/1.1" 404 1024 93.190.138.51 - - [31/Mar/2009:04:25:34 -0400] "GET /rcmail/CHANGELOG HTTP/1.1" 404 1003 93.190.138.51 - - [31/Mar/2009:04:25:35 -0400] "GET //CHANGELOG HTTP/1.1" 404 985 93.190.138.51 - - [31/Mar/2009:04:25:35 -0400] "GET /rc/CHANGELOG HTTP/1.1" 404 991 93.190.138.51 - - [31/Mar/2009:04:25:35 -0400] "GET /email/CHANGELOG HTTP/1.1" 404 1000 93.190.138.51 - - [31/Mar/2009:04:25:35 -0400] "GET /mail2/CHANGELOG HTTP/1.1" 404 1000 93.190.138.51 - - [31/Mar/2009:04:25:35 -0400] "GET /Webmail/CHANGELOG HTTP/1.1" 404 1006 93.190.138.51 - - [31/Mar/2009:04:25:36 -0400] "GET /components/com_roundcube/CHANGELOG HTTP/1.1" 404 1057 93.190.138.51 - - [31/Mar/2009:04:25:36 -0400] "GET /squirrelmail/CHANGELOG HTTP/1.1" 404 1021 93.190.138.51 - - [31/Mar/2009:04:25:36 -0400] "GET /vhcs2/tools/webmail/CHANGELOG HTTP/1.1" 404 1042 93.190.138.51 - - [31/Mar/2009:04:25:36 -0400] "GET /round/CHANGELOG HTTP/1.1" 404 1000
195.207.15.79 - - [04/Apr/2009:05:14:18 -0400] "GET /roundcube/CHANGELOG HTTP/1.1" 404 1012 195.207.15.79 - - [04/Apr/2009:05:14:18 -0400] "GET /mail/CHANGELOG HTTP/1.1" 404 997 195.207.15.79 - - [04/Apr/2009:05:14:18 -0400] "GET /webmail/CHANGELOG HTTP/1.1" 404 1006 195.207.15.79 - - [04/Apr/2009:05:14:18 -0400] "GET /roundcubemail/CHANGELOG HTTP/1.1" 404 1024 195.207.15.79 - - [04/Apr/2009:05:14:18 -0400] "GET /rcmail/CHANGELOG HTTP/1.1" 404 1003 195.207.15.79 - - [04/Apr/2009:05:14:19 -0400] "GET //CHANGELOG HTTP/1.1" 404 985 195.207.15.79 - - [04/Apr/2009:05:14:19 -0400] "GET /rc/CHANGELOG HTTP/1.1" 404 991 195.207.15.79 - - [04/Apr/2009:05:14:19 -0400] "GET /email/CHANGELOG HTTP/1.1" 404 1000 195.207.15.79 - - [04/Apr/2009:05:14:19 -0400] "GET /mail2/CHANGELOG HTTP/1.1" 404 1000 195.207.15.79 - - [04/Apr/2009:05:14:19 -0400] "GET /Webmail/CHANGELOG HTTP/1.1" 404 1006 195.207.15.79 - - [04/Apr/2009:05:14:20 -0400] "GET /components/com_roundcube/CHANGELOG HTTP/1.1" 404 1057 195.207.15.79 - - [04/Apr/2009:05:14:20 -0400] "GET /squirrelmail/CHANGELOG HTTP/1.1" 404 1021 195.207.15.79 - - [04/Apr/2009:05:14:20 -0400] "GET /vhcs2/tools/webmail/CHANGELOG HTTP/1.1" 404 1042 195.207.15.79 - - [04/Apr/2009:05:14:20 -0400] "GET /round/CHANGELOG HTTP/1.1" 404 1000
209.160.64.61 - - [05/Apr/2009:20:36:02 -0400] "GET /roundcube/CHANGELOG HTTP/1.1" 404 1012 209.160.64.61 - - [05/Apr/2009:20:36:02 -0400] "GET /mail/CHANGELOG HTTP/1.1" 404 997 209.160.64.61 - - [05/Apr/2009:20:36:02 -0400] "GET /webmail/CHANGELOG HTTP/1.1" 404 1006 209.160.64.61 - - [05/Apr/2009:20:36:02 -0400] "GET /roundcubemail/CHANGELOG HTTP/1.1" 404 1024 209.160.64.61 - - [05/Apr/2009:20:36:02 -0400] "GET /rcmail/CHANGELOG HTTP/1.1" 404 1003 209.160.64.61 - - [05/Apr/2009:20:36:02 -0400] "GET //CHANGELOG HTTP/1.1" 404 985 209.160.64.61 - - [05/Apr/2009:20:36:02 -0400] "GET /rc/CHANGELOG HTTP/1.1" 404 991 209.160.64.61 - - [05/Apr/2009:20:36:02 -0400] "GET /email/CHANGELOG HTTP/1.1" 404 1000 209.160.64.61 - - [05/Apr/2009:20:36:02 -0400] "GET /mail2/CHANGELOG HTTP/1.1" 404 1000 209.160.64.61 - - [05/Apr/2009:20:36:02 -0400] "GET /Webmail/CHANGELOG HTTP/1.1" 404 1006 209.160.64.61 - - [05/Apr/2009:20:36:02 -0400] "GET /components/com_roundcube/CHANGELOG HTTP/1.1" 404 1057 209.160.64.61 - - [05/Apr/2009:20:36:03 -0400] "GET /squirrelmail/CHANGELOG HTTP/1.1" 404 1021 209.160.64.61 - - [05/Apr/2009:20:36:03 -0400] "GET /vhcs2/tools/webmail/CHANGELOG HTTP/1.1" 404 1042 209.160.64.61 - - [05/Apr/2009:20:36:03 -0400] "GET /round/CHANGELOG HTTP/1.1" 404 1000
List info: http://lists.roundcube.net/dev/
two hundred wrote:
Greetings, I'm not concerned about our system per se, my question is what attracts hackers to roundcube ?
Older RC revisions had some security issues and there might be undiscovered security issues in the existing version... which might allow hacking into the server, sending spam or proxying requests...
Best regards,
Michael
On Apr 6, 2009, at 9:23 AM, two hundred wrote:
Greetings,
My apologies for the "hit & run" but why are hackers looking for
roundcube on our server ?
Any web app that has known vulnerabilities gets targeted by bots
looking for installs that haven't patched those known vulnerabilities.
RoundCube is just one of many, such as awstats, phpmyadmin, etc.
I've always wondered what would happen on the other end if I took a
Linux distro install iso file and renamed it to one of the files
these bots did a GET for.
However I don't have the spare bandwidth, nor do I want to be the
target of a DoS.
two hundred wrote:
Greetings,
My apologies for the "hit & run" but why are hackers looking for roundcube on our server ? I'm not concerned about our system per se, my question is what attracts hackers to roundcube ?
Thanks,
93.190.138.51 - - [31/Mar/2009:04:25:34 -0400] "GET /roundcube/CHANGELOG HTTP/1.1" 404 1012 93.190.138.51 - - [31/Mar/2009:04:25:34 -0400] "GET /mail/CHANGELOG HTTP/1.1" 404 997 93.190.138.51 - - [31/Mar/2009:04:25:34 -0400] "GET /webmail/CHANGELOG HTTP/1.1" 404 1006 93.190.138.51 - - [31/Mar/2009:04:25:34 -0400] "GET /roundcubemail/CHANGELOG HTTP/1.1" 404 1024 93.190.138.51 - - [31/Mar/2009:04:25:34 -0400] "GET /rcmail/CHANGELOG HTTP/1.1" 404 1003 93.190.138.51 - - [31/Mar/2009:04:25:35 -0400] "GET //CHANGELOG HTTP/1.1" 404 985 93.190.138.51 - - [31/Mar/2009:04:25:35 -0400] "GET /rc/CHANGELOG HTTP/1.1" 404 991 93.190.138.51 - - [31/Mar/2009:04:25:35 -0400] "GET /email/CHANGELOG HTTP/1.1" 404 1000 93.190.138.51 - - [31/Mar/2009:04:25:35 -0400] "GET /mail2/CHANGELOG HTTP/1.1" 404 1000 93.190.138.51 - - [31/Mar/2009:04:25:35 -0400] "GET /Webmail/CHANGELOG HTTP/1.1" 404 1006 93.190.138.51 - - [31/Mar/2009:04:25:36 -0400] "GET /components/com_roundcube/CHANGELOG HTTP/1.1" 404 1057 93.190.138.51 - - [31/Mar/2009:04:25:36 -0400] "GET /squirrelmail/CHANGELOG HTTP/1.1" 404 1021 93.190.138.51 - - [31/Mar/2009:04:25:36 -0400] "GET /vhcs2/tools/webmail/CHANGELOG HTTP/1.1" 404 1042 93.190.138.51 - - [31/Mar/2009:04:25:36 -0400] "GET /round/CHANGELOG HTTP/1.1" 404 1000
195.207.15.79 - - [04/Apr/2009:05:14:18 -0400] "GET /roundcube/CHANGELOG HTTP/1.1" 404 1012 195.207.15.79 - - [04/Apr/2009:05:14:18 -0400] "GET /mail/CHANGELOG HTTP/1.1" 404 997 195.207.15.79 - - [04/Apr/2009:05:14:18 -0400] "GET /webmail/CHANGELOG HTTP/1.1" 404 1006 195.207.15.79 - - [04/Apr/2009:05:14:18 -0400] "GET /roundcubemail/CHANGELOG HTTP/1.1" 404 1024 195.207.15.79 - - [04/Apr/2009:05:14:18 -0400] "GET /rcmail/CHANGELOG HTTP/1.1" 404 1003 195.207.15.79 - - [04/Apr/2009:05:14:19 -0400] "GET //CHANGELOG HTTP/1.1" 404 985 195.207.15.79 - - [04/Apr/2009:05:14:19 -0400] "GET /rc/CHANGELOG HTTP/1.1" 404 991 195.207.15.79 - - [04/Apr/2009:05:14:19 -0400] "GET /email/CHANGELOG HTTP/1.1" 404 1000 195.207.15.79 - - [04/Apr/2009:05:14:19 -0400] "GET /mail2/CHANGELOG HTTP/1.1" 404 1000 195.207.15.79 - - [04/Apr/2009:05:14:19 -0400] "GET /Webmail/CHANGELOG HTTP/1.1" 404 1006 195.207.15.79 - - [04/Apr/2009:05:14:20 -0400] "GET /components/com_roundcube/CHANGELOG HTTP/1.1" 404 1057 195.207.15.79 - - [04/Apr/2009:05:14:20 -0400] "GET /squirrelmail/CHANGELOG HTTP/1.1" 404 1021 195.207.15.79 - - [04/Apr/2009:05:14:20 -0400] "GET /vhcs2/tools/webmail/CHANGELOG HTTP/1.1" 404 1042 195.207.15.79 - - [04/Apr/2009:05:14:20 -0400] "GET /round/CHANGELOG HTTP/1.1" 404 1000
209.160.64.61 - - [05/Apr/2009:20:36:02 -0400] "GET /roundcube/CHANGELOG HTTP/1.1" 404 1012 209.160.64.61 - - [05/Apr/2009:20:36:02 -0400] "GET /mail/CHANGELOG HTTP/1.1" 404 997 209.160.64.61 - - [05/Apr/2009:20:36:02 -0400] "GET /webmail/CHANGELOG HTTP/1.1" 404 1006 209.160.64.61 - - [05/Apr/2009:20:36:02 -0400] "GET /roundcubemail/CHANGELOG HTTP/1.1" 404 1024 209.160.64.61 - - [05/Apr/2009:20:36:02 -0400] "GET /rcmail/CHANGELOG HTTP/1.1" 404 1003 209.160.64.61 - - [05/Apr/2009:20:36:02 -0400] "GET //CHANGELOG HTTP/1.1" 404 985 209.160.64.61 - - [05/Apr/2009:20:36:02 -0400] "GET /rc/CHANGELOG HTTP/1.1" 404 991 209.160.64.61 - - [05/Apr/2009:20:36:02 -0400] "GET /email/CHANGELOG HTTP/1.1" 404 1000 209.160.64.61 - - [05/Apr/2009:20:36:02 -0400] "GET /mail2/CHANGELOG HTTP/1.1" 404 1000 209.160.64.61 - - [05/Apr/2009:20:36:02 -0400] "GET /Webmail/CHANGELOG HTTP/1.1" 404 1006 209.160.64.61 - - [05/Apr/2009:20:36:02 -0400] "GET /components/com_roundcube/CHANGELOG HTTP/1.1" 404 1057 209.160.64.61 - - [05/Apr/2009:20:36:03 -0400] "GET /squirrelmail/CHANGELOG HTTP/1.1" 404 1021 209.160.64.61 - - [05/Apr/2009:20:36:03 -0400] "GET /vhcs2/tools/webmail/CHANGELOG HTTP/1.1" 404 1042 209.160.64.61 - - [05/Apr/2009:20:36:03 -0400] "GET /round/CHANGELOG HTTP/1.1" 404 1000
It seems my users have same issue, and OS (centos 5.x) was hacked. Their roundcube is 0.1.1-stable.
-
chasd -
Michael Baierl -
two hundred -
Zhang Huangbin