Results 1 to 3 of 3

Thread: roundcube exploit in progress

  1. #1
    Join Date
    Jun 2008
    Posts
    232

    Exclamation roundcube exploit in progress

    A note for those of you with RoundCube 0.2 beta installed.

    In December last year details of exploits in the beta release were patched and the latest stable version was also released.

    I've recently seen my apache logs filling up as a result of probes for roundcube installations, ostensibly to take advantage of the weakness in the beta version. The probes are the same, however the source IP's vary considerably, indicating some kind of post-compromise botlike or wormlike behaviour.

    Here's a set of probes from one of my logs. Each series starts with the same initial GET /nonexistenshit

    [fail]
    The nanny features of this forum automatically censor a portion of the details I'm trying to post. Humans reading this will have to replace the **** (Expletive deleted) in the post with "s h i t" and the spaces removed. To any bots indexing this post, tough luck.
    [/fail]

    Code:
    67.207.74.76 - - [10/Jan/2009:21:09:28 +0200] "GET /nonexistenshit HTTP/1.1" 404 212 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
    67.207.74.76 - - [10/Jan/2009:21:09:28 +0200] "GET /mail/bin/msgimport HTTP/1.1" 404 216 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
    67.207.74.76 - - [10/Jan/2009:21:09:28 +0200] "GET /bin/msgimport HTTP/1.1" 404 211 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
    67.207.74.76 - - [10/Jan/2009:21:09:29 +0200] "GET /rc/bin/msgimport HTTP/1.1" 404 214 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
    67.207.74.76 - - [10/Jan/2009:21:09:29 +0200] "GET /roundcube/bin/msgimport HTTP/1.1" 404 221 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
    67.207.74.76 - - [10/Jan/2009:21:09:29 +0200] "GET /webmail/bin/msgimport HTTP/1.1" 404 219 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
    If you have roundcube 0.2 beta installed, I would strongly suggest that you update to the latest version.
    Last edited by DanL@VPSLink; 01-12-2009 at 10:30 PM. Reason: Resolved forum censorship option issue

  2. #2
    Join Date
    Dec 2007
    Posts
    1,141

    Default

    Thank you for reporting this exploit, chriss.

    I have resolved the forum configuration issue which was responsible for modifying your initial post and updated your post with a find/replace for "****".

  3. #3
    Join Date
    Jun 2008
    Posts
    232

    Default Thank you

    Quote Originally Posted by DanL@VPSLink View Post
    I have resolved the forum configuration issue which was responsible for modifying your initial post and updated your post with a find/replace for "****".
    Thanks Dan. I appreciate the sensible approach adopted by VPSLink.

    While we'd rather not read expletives in forums, sometimes (as in this case) it's unfortunate that there is one embedded within the information that's being conveyed.

    +1 VPSLink

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •