I have a ubuntu server (8.10) with roundcube 0.1.1 (default package from ubuntu 8.10)
and I can provide the following logs:
apache access log:
62.193.202.XX - - [12/Jan/2009:21:48:13 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 759 "-" "-"
62.193.202.XX - - [12/Jan/2009:21:48:27 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 180 "-" "-"
(these are the only two actions performed as can be found in my apache-log)
in my syslog I can see:
Jan 12 21:48:29 fun4me crontab[10065]: (www-data) REPLACE (www-data)
Jan 12 21:48:29 fun4me crontab[10066]: (www-data) LIST (www-data)
crontab -u www-data -l gives me:
* * * * * /var/tmp/.ICE-unix/.../.tmp/data/mysqld-lock >/dev/null 2>&1
and ls -l /var/tmp/.ICE-unix/.../.tmp/data/ gives me:
-rw-r--r-- 1 www-data www-data 71 2009-01-12 21:48 cron.d
drwxr-xr-x 2 www-data www-data 4096 2009-01-12 21:48 home
-rwxr-xr-x 1 www-data www-data 1063697 2008-01-20 16:42 mysqld
-rw-r--r-- 1 www-data www-data 33 2009-01-12 21:48 mysqld.dir
-rwxr-xr-x 1 www-data www-data 178 2008-01-20 16:42 mysqld-exec
-rwxr-xr-x 1 www-data www-data 359 2008-01-20 16:42 mysqld-install
-rwxr--r-- 1 www-data www-data 244 2009-01-12 21:48 mysqld-lock
-rw-rw-rw- 1 www-data www-data 6 2009-01-12 21:48 mysqld.pid
-rwxr-xr-x 1 www-data www-data 21516 2008-01-20 16:42 xh
xh gets detected as HackTool.Linux.ProcHider.a
Viruslist.com - HackTool.Linux.ProcHider.aI guess mysqld is a virus as well, but it does not get detected (yet)
I will try to add this exploit to launchpad as well (if possible)
I already found out it was a spam-bot that got inserted in my system