Roundcube Community Forum
Release Support => Pending Issues => Topic started by: chops11 on March 11, 2009, 09:42:53 AM
-
Hey folks. Have Roundcube up and running with no problems for about a year. As of today i'm getting the following error. Any help would be great. Thanks in advance.
Warning: require_once(include/bugs.inc) [function.require-once]: failed to open stream: No such file or directory in /home/mydomain/public_html/webmail/program/include/iniset.php on line 93
Fatal error: require_once() [function.require]: Failed opening required 'include/bugs.inc' (include_path='/home/mydomain/public_html/webmail/skins/:/home/mydomain/public_html/webmail/skins/program:/home/mydomain/public_html/webmail/skins/program/lib:/home/mydomain/public_html/webmail/skins/program/include:.:/usr/lib/php:/usr/local/lib/php') in /home/mydomain/public_html/webmail/program/include/iniset.php on line 93
-
Any news on this... I suddenly got the exact same problem for no apprant reason...
Has been working for years! No changes, nothing.
Maybe we are using the same hosting company!? bluehost.com?
Please get back to us/me on this issue as I dont think I could bare doing a clean installation and then having to transfer all info across from old db.
Thx, Nick.
-
I have the same problem - I have 3 installs, identical directories and files save the configs - all have worked flawlessly for over 18 months - suddenly one of them has the exact error described above - the other two are fine - I see no difference between them - paths are the same and nothing has been updated on the machine,
I tried commenting out bugs.inc and then I get the message for main.inc, so it is something to do with the include itself.
I am running gentoo, apache, PHP 5.2.8-pl2-gentoo
Any thoughts?
thanks
matthew
-
Your roundcube install has been compromised. Check 'bin' for 'html'. I found all sorts of stuff in there that was not not included with the roundcube install. There was also a '.php' and a modified '.htaccess' that looked suspicious. We dumped the database and roundcube for a fresh install of the latest version. Also writing a md5 program to check the directory structure just in case.
I have a back-up of the old install if a developer wants to check it...
-
This was true for me - I also have a copy of the files -
This is a little disconcerting. Has there been any word from RoundCube on this - there is obviously a door to the backend. Perhas I have an old copy - I would be unwilling to upgrade until i know if the problem was addressed.
Can someone from RC comment?
Thanks!
-
Same here, it looks like someone found a backdoor and was able to inject their own php onto the server, here's a httpd server log of what happened:
91.212.65.95 - - [19/Mar/2009:07:25:35 -0400] "POST //bin/html2text.php HTTP/1.1" 200 3 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko
/20060508 Firefox/1.5.0.4"
91.212.65.95 - - [19/Mar/2009:07:25:35 -0400] "POST //bin/20ca8b.php HTTP/1.1" 200 33 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/2
0060508 Firefox/1.5.0.4"
91.212.65.95 - - [20/Mar/2009:10:36:01 -0400] "GET /bin/20ca8b.php HTTP/1.1" 200 1 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/2006
0508 Firefox/1.5.0.4"
91.212.65.95 - - [20/Mar/2009:10:36:01 -0400] "POST /bin/20ca8b.php HTTP/1.1" 200 12 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20
060508 Firefox/1.5.0.4"
91.212.65.95 - - [20/Mar/2009:10:36:03 -0400] "POST /bin/20ca8b.php HTTP/1.1" 200 5 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/200
60508 Firefox/1.5.0.4"
It appears none of the scripts were executed correctly
[Fri Mar 20 10:36:01 2009] [error] [client 91.212.65.95] PHP Notice: Undefined index: PARAM_HASH in /usr/local/www/roundcube/bin/20ca8b.php on line 3
[Fri Mar 20 10:38:06 2009] [error] [client 91.212.65.95] PHP Fatal error: Class 'PclZip' not found in /usr/local/www/roundcube/bin/20ca8b.php(9) : runtime-cr
eated function on line 2
[Fri Mar 20 10:38:08 2009] [error] [client 91.212.65.95] File does not exist: /usr/local/www/roundcube/bin/incdir/facts-about-black-panthers
[Mon Mar 23 11:01:12 2009] [error] [client 91.212.65.95] PHP Warning: require_once(include/bugs.inc) [function.require-once
a>]: failed to open stream: No such file or directory in /usr/local/www/roundcube/program/include/iniset.php on line 91
[Mon Mar 23 11:01:12 2009] [error] [client 91.212.65.95] PHP Fatal error: require_once() [function.require]: Failed opening re
quired 'include/bugs.inc' (include_path='/usr/local/www/roundcube/SQL/:/usr/local/www/roundcube/SQL/program:/usr/local/www/roundcube/SQL/program/lib:/usr/loca
l/www/roundcube/SQL/program/include:.:/usr/local/share/pear:/usr/local/share/smarty') in /usr/local/www/roundcube/program/include/iniset.php on line 91
This sounds familier:
#1485618 (Break-in possiblity via html2text.php?) ? RoundCube Webmail (http://trac.roundcube.net/ticket/1485618)
given that they're using html2text to break in
Anyways, I am done with roundcube. It was fun while it lasted (6 months) and my users liked it but I consider this a very serious problem.
I've bookmarked this post and will be checking back to see if there's any progress but being an admin is a side-job so I don't have the time to dive into it deeper.
-
Rayzz,
That's the same IP that attacked us. As I stated earlier we upgraded to the latest release. What I neglected to mention was that we nuked the class C license the ip originated from on our firewall, not the best preventive measure I admit, but seeing as you posted the same IP it might hold more of a chance at thwarting future attempts then I originally hoped.
I have faith in roundcube, it was, after all, listed as beta when we first started using it, and as far as I'm aware its still a beta product. I can't knock free and I still haven't seen a comparable product for the price that is so feature rich. I have been through Squirrelmail and Hastymail, and just felt home using roundcube.
-
I have the same IP address and have also blocked it - I will be upgrading and looking into this further - Did anyone actually report the IP addy?
Anyway - would still like to here a response from RC.
-
I think this was fixed some time ago. Please see SourceForge.net: News: Security update for 0.2-beta (http://sourceforge.net/forum/forum.php?forum_id=898542).
-
Great - thanks - patched.
regards
Matthew
-
Sure enough, I got it too. I can't even begin to tell you how much this pisses me off.