Security issue (possible?) (was: RE: Unknown user in users table, very odd, possible security hole)
ALEC!!!!!!!
There's some security problem in RC I believe!
Check this:
Feb 9 01:46:44 fastweb roundcube: <ibj96bvb> Successful login for donny@adhigunaputera.com (ID: 100412) from 110.136.11.0 in session ibj96bvbj5akqlt5slpc47ikfb
This user doesn't belong to any of the IMAP accounts, how was he able to login?
After the login, there's some login failed lines:
Feb 9 02:47:27 fastweb roundcube: <ibj96bvb> IMAP Error: Login failed for donny@adhigunaputera.com from 110.136.11.0. Empty startup greeting (mail.adhigunaputera.com:143) in /home/hosting/dhosting.pt/webmail/program/lib/Roundcube/rcube_imap.php on line 196 (POST /webmail/?_task=mail&_action=refresh)
Feb 9 02:48:37 fastweb roundcube: <ibj96bvb> IMAP Error: Login failed for donny@adhigunaputera.com from 110.136.11.0. Empty startup greeting (mail.adhigunaputera.com:143) in /home/hosting/dhosting.pt/webmail/program/lib/Roundcube/rcube_imap.php on line 196 (POST /webmail/?_task=mail&_action=refresh)
Feb 9 02:49:47 fastweb roundcube: <ibj96bvb> IMAP Error: Login failed for donny@adhigunaputera.com from 110.136.11.0. Empty startup greeting (mail.adhigunaputera.com:143) in /home/hosting/dhosting.pt/webmail/program/lib/Roundcube/rcube_imap.php on line 196 (POST /webmail/?_task=mail&_action=refresh
(funny the IP is the network IP)
What's the best place to move forward with investigation with this issue, here or dev list?
Could you assist me on this?
Thank you in advanced,
From: users-bounces@lists.roundcube.net [mailto:users-bounces@lists.roundcube.net] On Behalf Of Hannu Hirvonen Sent: 8 de fevereiro de 2018 20:43 To: users@lists.roundcube.net Subject: Re: [RCU] Unknown user in users table, very odd, possible security hole
On 08.02.2018 22:34, Jorge Bastos wrote:
Not in there but you made me remind about:
// Log successful/failed logins to <log_dir>/userlogins or to syslog
That's why I said "something like ...", might have been a bit clearer, of course :-)
Ok, another login just right now:
Feb 9 09:25:41 fastweb roundcube: <sm6djv7v> Successful login for donny@adhigunaputera.com (ID: 100412) from 110.136.11.0 in session sm6djv7vh6oplo694nff7ng2rp
Alec, can you help debugging this?
From: users-bounces@lists.roundcube.net [mailto:users-bounces@lists.roundcube.net] On Behalf Of Jorge Bastos Sent: 9 de fevereiro de 2018 09:18 To: 'Roundcube Users mailing list' users@lists.roundcube.net Subject: [RCU] Security issue (possible?) (was: RE: Unknown user in users table, very odd, possible security hole)
ALEC!!!!!!!
There's some security problem in RC I believe!
Check this:
Feb 9 01:46:44 fastweb roundcube: <ibj96bvb> Successful login for donny@adhigunaputera.com mailto:donny@adhigunaputera.com (ID: 100412) from 110.136.11.0 in session ibj96bvbj5akqlt5slpc47ikfb
This user doesn't belong to any of the IMAP accounts, how was he able to login?
After the login, there's some login failed lines:
Feb 9 02:47:27 fastweb roundcube: <ibj96bvb> IMAP Error: Login failed for donny@adhigunaputera.com mailto:donny@adhigunaputera.com from 110.136.11.0. Empty startup greeting (mail.adhigunaputera.com:143) in /home/hosting/dhosting.pt/webmail/program/lib/Roundcube/rcube_imap.php on line 196 (POST /webmail/?_task=mail&_action=refresh)
Feb 9 02:48:37 fastweb roundcube: <ibj96bvb> IMAP Error: Login failed for donny@adhigunaputera.com mailto:donny@adhigunaputera.com from 110.136.11.0. Empty startup greeting (mail.adhigunaputera.com:143) in /home/hosting/dhosting.pt/webmail/program/lib/Roundcube/rcube_imap.php on line 196 (POST /webmail/?_task=mail&_action=refresh)
Feb 9 02:49:47 fastweb roundcube: <ibj96bvb> IMAP Error: Login failed for donny@adhigunaputera.com mailto:donny@adhigunaputera.com from 110.136.11.0. Empty startup greeting (mail.adhigunaputera.com:143) in /home/hosting/dhosting.pt/webmail/program/lib/Roundcube/rcube_imap.php on line 196 (POST /webmail/?_task=mail&_action=refresh
(funny the IP is the network IP)
What's the best place to move forward with investigation with this issue, here or dev list?
Could you assist me on this?
Thank you in advanced,
From: users-bounces@lists.roundcube.net mailto:users-bounces@lists.roundcube.net [mailto:users-bounces@lists.roundcube.net] On Behalf Of Hannu Hirvonen Sent: 8 de fevereiro de 2018 20:43 To: users@lists.roundcube.net mailto:users@lists.roundcube.net Subject: Re: [RCU] Unknown user in users table, very odd, possible security hole
On 08.02.2018 22:34, Jorge Bastos wrote:
Not in there but you made me remind about:
// Log successful/failed logins to <log_dir>/userlogins or to syslog
That's why I said "something like ...", might have been a bit clearer, of course :-)
did you check if there is a matching logon on your imap server? maybe enable password logging if you can and log in as his user and see what he sees? did you confirm that your roundcube is configured to use the correct imap server?
On 2018-02-09 01:33 AM, Jorge Bastos wrote:
Ok, another login just right now:
Feb 9 09:25:41 fastweb roundcube: <sm6djv7v> Successful login for donny@adhigunaputera.com (ID: 100412) from 110.136.11.0 in session sm6djv7vh6oplo694nff7ng2rp
Alec, can you help debugging this?
*From:*users-bounces@lists.roundcube.net [mailto:users-bounces@lists.roundcube.net] *On Behalf Of *Jorge Bastos *Sent:* 9 de fevereiro de 2018 09:18 *To:* 'Roundcube Users mailing list' users@lists.roundcube.net *Subject:* [RCU] Security issue (possible?) (was: RE: Unknown user in users table, very odd, possible security hole)
ALEC!!!!!!!
There’s some security problem in RC I believe!
Check this:
Feb 9 01:46:44 fastweb roundcube: <ibj96bvb> Successful login for donny@adhigunaputera.com mailto:donny@adhigunaputera.com (ID: 100412) from 110.136.11.0 in session ibj96bvbj5akqlt5slpc47ikfb
This user doesn’t belong to any of the IMAP accounts, how was he able to login?
After the login, there’s some login failed lines:
Feb 9 02:47:27 fastweb roundcube: <ibj96bvb> IMAP Error: Login failed for donny@adhigunaputera.com mailto:donny@adhigunaputera.com from 110.136.11.0. Empty startup greeting (mail.adhigunaputera.com:143) in /home/hosting/dhosting.pt/webmail/program/lib/Roundcube/rcube_imap.php on line 196 (POST /webmail/?_task=mail&_action=refresh)
Feb 9 02:48:37 fastweb roundcube: <ibj96bvb> IMAP Error: Login failed for donny@adhigunaputera.com mailto:donny@adhigunaputera.com from 110.136.11.0. Empty startup greeting (mail.adhigunaputera.com:143) in /home/hosting/dhosting.pt/webmail/program/lib/Roundcube/rcube_imap.php on line 196 (POST /webmail/?_task=mail&_action=refresh)
Feb 9 02:49:47 fastweb roundcube: <ibj96bvb> IMAP Error: Login failed for donny@adhigunaputera.com mailto:donny@adhigunaputera.com from 110.136.11.0. Empty startup greeting (mail.adhigunaputera.com:143) in /home/hosting/dhosting.pt/webmail/program/lib/Roundcube/rcube_imap.php on line 196 (POST /webmail/?_task=mail&_action=refresh
(funny the IP is the network IP)
What’s the best place to move forward with investigation with this issue, here or dev list?
Could you assist me on this?
Thank you in advanced,
*From:*users-bounces@lists.roundcube.net mailto:users-bounces@lists.roundcube.net [mailto:users-bounces@lists.roundcube.net] *On Behalf Of *Hannu Hirvonen *Sent:* 8 de fevereiro de 2018 20:43 *To:* users@lists.roundcube.net mailto:users@lists.roundcube.net *Subject:* Re: [RCU] Unknown user in users table, very odd, possible security hole
On 08.02.2018 22:34, Jorge Bastos wrote:
Not in there but you made me remind about: // Log successful/failed logins to <log_dir>/userlogins or to syslogThat's why I said "something like ...", might have been a bit clearer, of course :-)
--
Hannu Hirvonen (hh@uwasa.fi mailto:hh@uwasa.fi,http://www.uwasa.fi/~hh/)
Computer Centre, University of Vaasa, BOX 700, FI-65101 VAASA, Finland
Roundcube Users mailing list users@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/users
did you check if there is a matching logon on your imap server?
Yes, the domains that I'm referring to are not hosted here, somewhere else,
maybe
enable password logging if you can and log in as his user and see what he sees?
Hum which setting is this? Can't find nothing for logs related to password's
did you confirm that your roundcube is configured to use the
correct imap server?
Well yes, but now i'm thinking, i have the imap server set to be dynamic it's filled with:
mail. + domain.tld
ok this option in Roundcube is grrreeeaaattt, but I think it makes people use my server for webmail! Damn!
How would I tell Roundcube, to connect just to my ip's? I could do this via iptables but is some shared hosting user wants to connect to any imap server he would be blocked
-----Original Message----- From: Computerisms Corporation [mailto:bob@computerisms.ca] Sent: sexta-feira, 9 de Fevereiro de 2018 17:13 To: Roundcube Users mailing list; Jorge Bastos Subject: Re: [RCU] Security issue (possible?) (was: RE: Unknown user in users table, very odd, possible security hole)
did you check if there is a matching logon on your imap server? maybe enable password logging if you can and log in as his user and see what he sees? did you confirm that your roundcube is configured to use the correct imap server?
On 2018-02-09 01:33 AM, Jorge Bastos wrote:
Ok, another login just right now:
Feb 9 09:25:41 fastweb roundcube: <sm6djv7v> Successful login for donny@adhigunaputera.com (ID: 100412) from 110.136.11.0 in session sm6djv7vh6oplo694nff7ng2rp
Alec, can you help debugging this?
*From:*users-bounces@lists.roundcube.net [mailto:users-bounces@lists.roundcube.net] *On Behalf Of *Jorge
Bastos
*Sent:* 9 de fevereiro de 2018 09:18 *To:* 'Roundcube Users mailing list' users@lists.roundcube.net *Subject:* [RCU] Security issue (possible?) (was: RE: Unknown user in users table, very odd, possible security hole)
ALEC!!!!!!!
Theres some security problem in RC I believe!
Check this:
Feb 9 01:46:44 fastweb roundcube: <ibj96bvb> Successful login for donny@adhigunaputera.com mailto:donny@adhigunaputera.com (ID: 100412) from 110.136.11.0 in session ibj96bvbj5akqlt5slpc47ikfb
This user doesnt belong to any of the IMAP accounts, how was he able to login?
After the login, theres some login failed lines:
Feb 9 02:47:27 fastweb roundcube: <ibj96bvb> IMAP Error: Login
failed
for donny@adhigunaputera.com mailto:donny@adhigunaputera.com from 110.136.11.0. Empty startup greeting (mail.adhigunaputera.com:143) in
/home/hosting/dhosting.pt/webmail/program/lib/Roundcube/rcube_imap.php
on line 196 (POST /webmail/?_task=mail&_action=refresh)
Feb 9 02:48:37 fastweb roundcube: <ibj96bvb> IMAP Error: Login
failed
for donny@adhigunaputera.com mailto:donny@adhigunaputera.com from 110.136.11.0. Empty startup greeting (mail.adhigunaputera.com:143) in
/home/hosting/dhosting.pt/webmail/program/lib/Roundcube/rcube_imap.php
on line 196 (POST /webmail/?_task=mail&_action=refresh)
Feb 9 02:49:47 fastweb roundcube: <ibj96bvb> IMAP Error: Login
failed
for donny@adhigunaputera.com mailto:donny@adhigunaputera.com from 110.136.11.0. Empty startup greeting (mail.adhigunaputera.com:143) in
/home/hosting/dhosting.pt/webmail/program/lib/Roundcube/rcube_imap.php
on line 196 (POST /webmail/?_task=mail&_action=refresh
(funny the IP is the network IP)
Whats the best place to move forward with investigation with this issue, here or dev list?
Could you assist me on this?
Thank you in advanced,
*From:*users-bounces@lists.roundcube.net mailto:users-bounces@lists.roundcube.net [mailto:users-bounces@lists.roundcube.net] *On Behalf Of *Hannu Hirvonen *Sent:* 8 de fevereiro de 2018 20:43 *To:* users@lists.roundcube.net mailto:users@lists.roundcube.net *Subject:* Re: [RCU] Unknown user in users table, very odd, possible security hole
On 08.02.2018 22:34, Jorge Bastos wrote:
Not in there but you made me remind about: // Log successful/failed logins to <log_dir>/userlogins or tosyslog
That's why I said "something like ...", might have been a bit
clearer,
of course :-)
--
Hannu Hirvonen (hh@uwasa.fi mailto:hh@uwasa.fi,http://www.uwasa.fi/~hh/)
Computer Centre, University of Vaasa, BOX 700, FI-65101 VAASA, Finland
Roundcube Users mailing list users@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/users
-
Computerisms Corporation -
Jorge Bastos