There have been reports regarding botnet scans for msgimport.sh The file should be investigated for security breaches.
the preg_replace at get_opt seems fishy but I was not able to inject commands to it.
http://stateofsecurity.com/?p=550 http://isc.sans.org/diary.html?storyid=5599&rss http://www.linode.com/forums/archive/o_t/t_3796/roundcube_webmail_scanning.h... http://zastita.com/015038/roundcube-webmail-.html _______________________________________________ List info: http://lists.roundcube.net/dev/
Houps, forgot to mail the list
PS: Fail2ban seem to be very busy today...
173.45.68.130 - - [09/Jan/2009:14:37:38 +0100] "GET /nonexistenshit HTTP/1.1" 404 274 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5" 173.45.68.130 - - [09/Jan/2009:14:37:38 +0100] "GET /mail/bin/msgimport HTTP/1.1" 404 278 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5" 173.45.68.130 - - [09/Jan/2009:14:37:38 +0100] "GET /bin/msgimport HTTP/1.1" 404 273 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5" 173.45.68.130 - - [09/Jan/2009:14:37:38 +0100] "GET /rc/bin/msgimport HTTP/1.1" 404 276 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5" 173.45.68.130 - - [09/Jan/2009:14:37:38 +0100] "GET /roundcube/bin/msgimport HTTP/1.1" 404 283 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5" 173.45.68.130 - - [09/Jan/2009:14:37:38 +0100] "GET /webmail/bin/msgimport HTTP/1.1" 404 281 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
etc...
Maybe msgimport is used to test html2text.php presence ?
It's a shell script. Websevers won't execute it but simply return the content as it's was a simple text file.. no ?
Regards,
On Fri, 09 Jan 2009 15:35:44 +0200, Gokdeniz Karadag gokdenizk@gmail.com wrote:
There have been reports regarding botnet scans for msgimport.sh The file should be investigated for security breaches.
the preg_replace at get_opt seems fishy but I was not able to inject commands to it.
http://stateofsecurity.com/?p=550 http://isc.sans.org/diary.html?storyid=5599&rss
http://www.linode.com/forums/archive/o_t/t_3796/roundcube_webmail_scanning.h...
http://zastita.com/015038/roundcube-webmail-.html _______________________________________________ List info: http://lists.roundcube.net/dev/
Maximilien Cuony [The_Glu] wrote:
173.45.68.130 - - [09/Jan/2009:14:37:38 +0100] "GET /webmail/bin/msgimport HTTP/1.1" 404 281 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
I think that are just scans for vulnerable roundcube versions. Since 0.2-alpha we don't have bin/msgimport file (there's bin/msgimport.sh file).
A.L.E.C wrote:
Maximilien Cuony [The_Glu] wrote:
173.45.68.130 - - [09/Jan/2009:14:37:38 +0100] "GET /webmail/bin/msgimport HTTP/1.1" 404 281 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
I think that are just scans for vulnerable roundcube versions. Since 0.2-alpha we don't have bin/msgimport file (there's bin/msgimport.sh file).
FWIW, I have been seeing a large number of scans in the past week or so.
The weird thing is that I am seeing them on an IlohaMail site and not RoundCube. Our RoundCube install is linked on the Iloha login page, but they are still only checking the main page "webmail.<mydomain>.com"
Another server I have running RC is seeing 0 attempts, even though it is also webmail.<adifferentdomain>.com -- its login page is not linked from any other page, since it is my own personal setup.
Here's a snip from my logs:
[Wed Jan 07 10:23:27 2009] [error] [client 69.64.50.209] File does not exist: /my/webmail/root/path/bin [Wed Jan 07 10:23:32 2009] [error] [client 69.64.50.209] File does not exist: /my/webmail/root/path/mail [Wed Jan 07 10:23:37 2009] [error] [client 69.64.50.209] File does not exist: /my/webmail/root/path/rc [Wed Jan 07 10:23:42 2009] [error] [client 69.64.50.209] File does not exist: /my/webmail/root/path/roundcube [Wed Jan 07 10:23:47 2009] [error] [client 69.64.50.209] File does not exist: /my/webmail/root/path/roundcubemail [Wed Jan 07 10:23:52 2009] [error] [client 69.64.50.209] File does not exist: /my/webmail/root/path/roundcube-mail [Wed Jan 07 10:23:57 2009] [error] [client 69.64.50.209] File does not exist: /my/webmail/root/path/roundcubemail-0.1 [Wed Jan 07 10:24:02 2009] [error] [client 69.64.50.209] File does not exist: /my/webmail/root/path/roundcubemail-0.1.1 [Wed Jan 07 10:24:07 2009] [error] [client 69.64.50.209] File does not exist: /my/webmail/root/path/roundcubemail-0.1beta [Wed Jan 07 10:24:12 2009] [error] [client 69.64.50.209] File does not exist: /my/webmail/root/path/roundcubemail-0.1beta2 [Wed Jan 07 10:24:17 2009] [error] [client 69.64.50.209] File does not exist: /my/webmail/root/path/roundcubemail-0.1-rc1 [Wed Jan 07 10:24:23 2009] [error] [client 69.64.50.209] File does not exist: /my/webmail/root/path/roundcubemail-0.1-rc2 [Wed Jan 07 10:24:28 2009] [error] [client 69.64.50.209] File does not exist: /my/webmail/root/path/roundcubemail-0.2 [Wed Jan 07 10:24:33 2009] [error] [client 69.64.50.209] File does not exist: /my/webmail/root/path/roundcubemail-0.2-alpha [Wed Jan 07 10:24:38 2009] [error] [client 69.64.50.209] File does not exist: /my/webmail/root/path/roundcubemail-0.2-beta [Wed Jan 07 10:24:43 2009] [error] [client 69.64.50.209] File does not exist: /my/webmail/root/path/webmail
And then about 50 of these: [Wed Jan 07 23:58:42 2009] [error] [client 212.95.54.63] File does not exist: /my/webmail/root/path/nonexistenshit [Wed Jan 07 23:58:42 2009] [error] [client 212.95.54.63] File does not exist: /my/webmail/root/path/mail [Wed Jan 07 23:58:42 2009] [error] [client 212.95.54.63] File does not exist: /my/webmail/root/path/bin [Wed Jan 07 23:58:42 2009] [error] [client 212.95.54.63] File does not exist: /my/webmail/root/path/rc [Wed Jan 07 23:58:42 2009] [error] [client 212.95.54.63] File does not exist: /my/webmail/root/path/roundcube [Wed Jan 07 23:58:42 2009] [error] [client 212.95.54.63] File does not exist: /my/webmail/root/path/webmail
List info: http://lists.roundcube.net/dev/
We were alerted of this earlier this week and we believe there might have been a vulnerability in earlier versions of RoundCube, so our general advice would be to update your copy and generally most distros who carry RoundCube have more updated versions etc..
Till
On Fri, Jan 9, 2009 at 2:35 PM, Gokdeniz Karadag gokdenizk@gmail.com wrote:
There have been reports regarding botnet scans for msgimport.sh The file should be investigated for security breaches.
the preg_replace at get_opt seems fishy but I was not able to inject commands to it.
http://stateofsecurity.com/?p=550 http://isc.sans.org/diary.html?storyid=5599&rss http://www.linode.com/forums/archive/o_t/t_3796/roundcube_webmail_scanning.h... http://zastita.com/015038/roundcube-webmail-.html _______________________________________________ List info: http://lists.roundcube.net/dev/
List info: http://lists.roundcube.net/dev/
-
A.L.E.C -
Gokdeniz Karadag -
Jim Pingle -
Maximilien Cuony [The_Glu] -
till