Roundcube Community Forum

News and Announcements => News & Announcements => Topic started by: bpat1434 on December 16, 2008, 01:06:03 PM

Title: RoundCube News: Security update for 0.2-beta
Post by: bpat1434 on December 16, 2008, 01:06:03 PM
There were two security issues reported which are now fixed. The first was as possible code injection using the html2text conversion script. The other exploit used the unchecked size parameters of the quota image to let PHP create huge images eating up all the server memory.  (0 comments (http://sourceforge.net/forum/forum.php?forum_id=898542))

More... (http://sourceforge.net/forum/forum.php?forum_id=898542)
Title: Ubuntu 8.10 server hacked, probably because of this
Post by: lvanderree on January 14, 2009, 05:54:37 PM
I have a ubuntu server (8.10) with roundcube 0.1.1 (default package from ubuntu 8.10)

and I can provide the following logs:


apache access log:
62.193.202.XX - - [12/Jan/2009:21:48:13 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 759 "-" "-"
62.193.202.XX - - [12/Jan/2009:21:48:27 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 180 "-" "-"
(these are the only two actions performed as can be found in my apache-log)

in my syslog I can see:
Jan 12 21:48:29 fun4me crontab[10065]: (www-data) REPLACE (www-data)
Jan 12 21:48:29 fun4me crontab[10066]: (www-data) LIST (www-data)

crontab -u www-data -l   gives me:
* * * * * /var/tmp/.ICE-unix/.../.tmp/data/mysqld-lock >/dev/null 2>&1

and ls -l /var/tmp/.ICE-unix/.../.tmp/data/ gives me:
-rw-r--r-- 1 www-data www-data      71 2009-01-12 21:48 cron.d
drwxr-xr-x 2 www-data www-data    4096 2009-01-12 21:48 home
-rwxr-xr-x 1 www-data www-data 1063697 2008-01-20 16:42 mysqld
-rw-r--r-- 1 www-data www-data      33 2009-01-12 21:48 mysqld.dir
-rwxr-xr-x 1 www-data www-data     178 2008-01-20 16:42 mysqld-exec
-rwxr-xr-x 1 www-data www-data     359 2008-01-20 16:42 mysqld-install
-rwxr--r-- 1 www-data www-data     244 2009-01-12 21:48 mysqld-lock
-rw-rw-rw- 1 www-data www-data       6 2009-01-12 21:48 mysqld.pid
-rwxr-xr-x 1 www-data www-data   21516 2008-01-20 16:42 xh

xh gets detected as HackTool.Linux.ProcHider.a Viruslist.com - HackTool.Linux.ProcHider.a (http://www.viruslist.com/en/viruses/encyclopedia?virusid=75632)
I guess mysqld is a virus as well, but it does not get detected (yet)

I will try to add this exploit to launchpad as well (if possible)

I already found out it was a spam-bot that got inserted in my system
Title: RoundCube News: Security update for 0.2-beta
Post by: cr3pt on January 24, 2009, 04:01:13 PM
egh...
upgrade to 0.2 !!
regards
cr3pt