Hi!
First off, great piece of software, I'm never going back to squirrelmail again (my mail-users quickly started using roundcube too
I'm running it on a Apple G3 (!) OSX 10.4.x, with Apache and PHP compiled to recent stable versions.
Over the last weeks I've seen some weird traffic to my webserver hosting roundcube (amongst other things). These IP's are not from any of my legitimate users as far as I can tell.
Here's a snippet from my logs;
[Tue Dec 21 15:57:01 2010] [error] [client 213.93.38.xxx] File does not exist: /path/to/webroot/roundcubemail/program/js/'+this.env.loadingicon+'
[Tue Dec 21 15:57:01 2010] [error] [client 213.93.38.xxx] File does not exist: /path/to/webroot/roundcubemail/program/js/).addClass(b).html(a),g=$(this.gui_objects.message).show();if(b==
[Tue Dec 21 15:57:01 2010] [error] [client 213.93.38.xxx] File does not exist: /path/to/webroot/roundcubemail/program/js/).html(f+
[Tue Dec 21 15:57:01 2010] [error] [client 213.93.38.xxx] File does not exist: /path/to/webroot/roundcubemail/program/js/)}$(a).html(
[Tue Dec 21 15:57:02 2010] [error] [client 213.93.38.xxx] ModSecurity: Access denied with code 403 (phase 2). Match of "within %{tx.allowed_http_versions}" against "REQUEST_PROTOCOL" required. [file "/path/to/apache/conf/modsec/base_rules/modsecurity_crs_30_http_policy.conf"] [line "77"] [id "960034"] [msg "HTTP protocol version is not allowed by policy"] [data "d=this.message_list.find_root(a);if(a!=d){var e=this.message_list.rows[d];if(b== HTTP/1.1"] [severity "CRITICAL"] [tag "POLICY/PROTOCOL_NOT_ALLOWED"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A6"] [tag "PCI/6.5.10"] [hostname "MYDOMAIN.no"] [uri "/roundcubemail/program/js/+a).html(f)};this.update_thread_root=function(a,b){if(this.env.threading){var"] [unique_id "TRDAPgoAABQAAEgUHNcAAAAB"]
These requests come from different IP's in .nl and .com/us.
At first I changed the URI's for Roundube on my server and updated the links on the front page a few times, but the requests kept coming in.
Step two was setting up a tarpit-trick [1] using php and reverse-lookups in the index-page. "Evil" IP's got a link to the tarpit, while legitimate IP's got a link to my "secret" roundcube URI.
Just had a few of these IP's step in the tarpit, and seems like it's going away.
Anyone had similar experiences? I have attached more clippings of the logs.
[1]
Tarpitting with Apache and mod_security2 | kill -9 `/dev/cat`