« previous next »
Pages: [1]

Author Topic: Is it security hole in roundcube?!  (Read 3415 times)

Offline wnd

  • Newbie
  • *
  • Posts: 2
Is it security hole in roundcube?!
« on: May 13, 2009, 06:36:28 PM »
All of a sudden server start to generate huge amount of mail traffic(spam).

roundcube sendmail log shows me:
Code: [Select]
[13-May-2009 06:07:37 -0500]: [13-May-2009 06:07:37 -0500] User: 2 on 217.194.14
7.131; Message for undisclosed-recipients:;;
[13-May-2009 06:14:11 -0500]: [13-May-2009 06:14:11 -0500] User: 2 on 217.194.147.131; Message for undisclosed-recipients:;;
[13-May-2009 08:03:13 -0500]: [13-May-2009 08:03:13 -0500] User: 2 on 213.255.218.244; Message for undisclosed-recipients:;;

217.194.147.131, 213.255.218.244 - is not my client addresses

apache access log
Code: [Select]
217.194.147.131 - - [13/May/2009:16:57:22 -0500] "GET /?_task=mail&_action=check-recent&_t=1242252267513&_list=1&_quota=1&_remote=1 HTTP/1.1" 200 87
217.194.147.131 - - [13/May/2009:16:57:42 -0500] "GET /?_task=mail&_action=check-recent&_t=1242252286888&_list=1&_quota=1&_remote=1 HTTP/1.1" 200 87
217.194.147.131 - - [13/May/2009:16:58:25 -0500] "GET /?_task=mail&_action=check-recent&_t=1242252327528&_list=1&_quota=1&_remote=1 HTTP/1.1" 200 754
217.194.147.131 - - [13/May/2009:16:58:42 -0500] "GET /?_task=mail&_action=check-recent&_t=1242252346898&_list=1&_quota=1&_remote=1 HTTP/1.1" 200 87
217.194.147.131 - - [13/May/2009:16:59:25 -0500] "GET /?_task=mail&_action=check-recent&_t=1242252387533&_list=1&_quota=1&_remote=1 HTTP/1.1" 200 762
217.194.147.131 - - [13/May/2009:16:59:42 -0500] "GET /?_task=mail&_action=check-recent&_t=1242252406908&_list=1&_quota=1&_remote=1 HTTP/1.1" 200 87
217.194.147.131 - - [13/May/2009:17:00:23 -0500] "GET /?_task=mail&_action=check-recent&_t=1242252447550&_list=1&_quota=1&_remote=1 HTTP/1.1" 200 87
217.194.147.131 - - [13/May/2009:17:00:48 -0500] "GET /?_task=mail&_action=check-recent&_t=1242252466920&_list=1&_quota=1&_remote=1 HTTP/1.1" 200 87

The question is is it security hole in RoundCube or just server miscofigured.

I'm using postfix+mysql+postfixadmin+roundcube configuration.

P.S. I can provide more information
P.P.S. Roundcube version Latest release: v0.2.1
« Last Edit: May 13, 2009, 06:41:00 PM by wnd »
Logged

Offline rosali

  • Hero Member
  • *****
  • Posts: 2,533
Is it security hole in roundcube?!
« Reply #1 on: May 14, 2009, 12:49:35 AM »
RoundCube is secure, IMO. In your case it looks like a spammer has cracked an account on your server (username and password).

Both IP's are blacklisted on various DNS blacklists (Email Blacklist Check - See if your server is blacklisted).

He is sending out spam using only the BCC recipents. Enable logging of successful user logins and close affected accounts.
« Last Edit: May 14, 2009, 12:52:00 AM by rosali »
Logged
Regards,
Rosali
__________________
MyRoundcube Project (commercial)

Offline wnd

  • Newbie
  • *
  • Posts: 2
Is it security hole in roundcube?!
« Reply #2 on: May 14, 2009, 09:55:29 AM »
Quote from: rosali;19005
RoundCube is secure, IMO. In your case it looks like a spammer has cracked an account on your server (username and password).

He is sending out spam using only the BCC recipents. Enable logging of successful user logins and close affected accounts.


rosali, thank you for your reply. I came up with the same idea and, indeed, one of users got virus on computer. I disabled suspicious account and now it looks fine. So far so good

I use roundcube on all my servers as webmail client and never had any problems. I'm glad it's stays the same way.

Regards,
wnd
Logged
Pages: [1]
« previous next »