Roundcube Community Forum

Release Support => Pending Issues => Topic started by: chops11 on March 11, 2009, 09:42:53 AM

Title: Working for a year, suddenly stopped with include/bugs.inc error.
Post by: chops11 on March 11, 2009, 09:42:53 AM
Hey folks.  Have Roundcube up and running with no problems for about a year.  As of today i'm getting the following error.  Any help would be great.  Thanks in advance.



Warning: require_once(include/bugs.inc) [function.require-once]: failed to open stream: No such file or directory in /home/mydomain/public_html/webmail/program/include/iniset.php on line 93

Fatal error: require_once() [function.require]: Failed opening required 'include/bugs.inc' (include_path='/home/mydomain/public_html/webmail/skins/:/home/mydomain/public_html/webmail/skins/program:/home/mydomain/public_html/webmail/skins/program/lib:/home/mydomain/public_html/webmail/skins/program/include:.:/usr/lib/php:/usr/local/lib/php') in /home/mydomain/public_html/webmail/program/include/iniset.php on line 93
Title: Exact same issue!
Post by: nicolasball on March 23, 2009, 05:37:09 PM
Any news on this... I suddenly got the exact same problem for no apprant reason...
Has been working for years! No changes, nothing.

Maybe we are using the same hosting company!? bluehost.com?

Please get back to us/me on this issue as I dont think I could bare doing a clean installation and then having to transfer all info across from old db.

Thx, Nick.
Title: Working for a year, suddenly stopped with include/bugs.inc error.
Post by: cpmwi on March 24, 2009, 08:46:47 PM
I have the same problem - I have 3 installs, identical directories and files save the configs - all have worked flawlessly for over 18 months - suddenly one of them has the exact error described above - the other two are fine - I see no difference between them - paths are the same and nothing has been updated on the machine,

I tried commenting out bugs.inc and then I get the message for main.inc, so it is something to do with the include itself.

I am running gentoo, apache, PHP 5.2.8-pl2-gentoo

Any thoughts?

thanks
matthew
Title: Working for a year, suddenly stopped with include/bugs.inc error.
Post by: The_Spider on March 25, 2009, 06:49:09 PM
Your roundcube install has been compromised. Check 'bin' for 'html'. I found all sorts of stuff in there that was not not included with the roundcube install. There was also a '.php' and a modified '.htaccess' that looked suspicious. We dumped the database and roundcube for a fresh install of the latest version. Also writing a md5 program to check the directory structure just in case.

I have a back-up of the old install if a developer wants to check it...
Title: Working for a year, suddenly stopped with include/bugs.inc error.
Post by: cpmwi on March 26, 2009, 08:52:21 PM
This was true for me - I also have a copy of the files -

This is a little disconcerting. Has there been any word from RoundCube on this - there is obviously a door to the backend. Perhas I have an old copy - I would be unwilling to upgrade until i know if the problem was addressed.

Can someone from RC comment?

Thanks!
Title: Working for a year, suddenly stopped with include/bugs.inc error.
Post by: rayzz on March 26, 2009, 09:45:33 PM
Same here, it looks like someone found a backdoor and was able to inject their own php onto the server, here's a httpd server log of what happened:

Code: [Select]

91.212.65.95 - - [19/Mar/2009:07:25:35 -0400] "POST //bin/html2text.php HTTP/1.1" 200 3 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko
/20060508 Firefox/1.5.0.4"
91.212.65.95 - - [19/Mar/2009:07:25:35 -0400] "POST //bin/20ca8b.php HTTP/1.1" 200 33 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/2
0060508 Firefox/1.5.0.4"
91.212.65.95 - - [20/Mar/2009:10:36:01 -0400] "GET /bin/20ca8b.php HTTP/1.1" 200 1 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/2006
0508 Firefox/1.5.0.4"
91.212.65.95 - - [20/Mar/2009:10:36:01 -0400] "POST /bin/20ca8b.php HTTP/1.1" 200 12 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20
060508 Firefox/1.5.0.4"
91.212.65.95 - - [20/Mar/2009:10:36:03 -0400] "POST /bin/20ca8b.php HTTP/1.1" 200 5 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/200
60508 Firefox/1.5.0.4"


It appears none of the scripts were executed correctly
Code: [Select]
[Fri Mar 20 10:36:01 2009] [error] [client 91.212.65.95] PHP Notice:  Undefined index:  PARAM_HASH in /usr/local/www/roundcube/bin/20ca8b.php on line 3
[Fri Mar 20 10:38:06 2009] [error] [client 91.212.65.95] PHP Fatal error:  Class 'PclZip' not found in /usr/local/www/roundcube/bin/20ca8b.php(9) : runtime-cr
eated function on line 2
[Fri Mar 20 10:38:08 2009] [error] [client 91.212.65.95] File does not exist: /usr/local/www/roundcube/bin/incdir/facts-about-black-panthers
[Mon Mar 23 11:01:12 2009] [error] [client 91.212.65.95] PHP Warning:  require_once(include/bugs.inc) [function.require-oncea>]: failed to open stream: No such file or directory in /usr/local/www/roundcube/program/include/iniset.php on line 91
[Mon Mar 23 11:01:12 2009] [error] [client 91.212.65.95] PHP Fatal error:  require_once() [
function.require]: Failed opening re
quired 'include/bugs.inc' (include_path='/usr/local/www/roundcube/SQL/:/usr/local/www/roundcube/SQL/program:/usr/local/www/roundcube/SQL/program/lib:/usr/loca
l/www/roundcube/SQL/program/include:.:/usr/local/share/pear:/usr/local/share/smarty') in /usr/local/www/roundcube/program/include/iniset.php on line 91


This sounds familier:
#1485618 (Break-in possiblity via html2text.php?) ? RoundCube Webmail (http://trac.roundcube.net/ticket/1485618)
given that they're using html2text to break in

Anyways, I am done with roundcube. It was fun while it lasted (6 months) and my users liked it but I consider this a very serious problem.

I've bookmarked this post and will be checking back to see if there's any progress but being an admin is a side-job so I don't have the time to dive into it deeper.
Title: Working for a year, suddenly stopped with include/bugs.inc error.
Post by: The_Spider on March 26, 2009, 10:09:24 PM
Rayzz,
That's the same IP that attacked us. As I stated earlier we upgraded to the latest release. What I neglected to mention was that we nuked the class C license the ip originated from on our firewall, not the best preventive measure I admit, but seeing as you posted the same IP it might hold more of a chance at thwarting future attempts then I originally hoped.

I have faith in roundcube, it was, after all, listed as beta when we first started using it, and as far as I'm aware its still a beta product. I can't knock free and I still haven't seen a comparable product for the price that is so feature rich. I have been through Squirrelmail and Hastymail, and just felt home using roundcube.
Title: Working for a year, suddenly stopped with include/bugs.inc error.
Post by: cpmwi on March 27, 2009, 01:35:18 AM
I have the same IP address and have also blocked it - I will be upgrading and looking into this further - Did anyone actually report the IP addy?

Anyway - would still like to here a response from RC.
Title: Working for a year, suddenly stopped with include/bugs.inc error.
Post by: JohnDoh on March 27, 2009, 04:18:17 AM
I think this was fixed some time ago. Please see SourceForge.net: News: Security update for 0.2-beta (http://sourceforge.net/forum/forum.php?forum_id=898542).
Title: Working for a year, suddenly stopped with include/bugs.inc error.
Post by: cpmwi on March 27, 2009, 10:54:01 PM
Great  - thanks - patched.

regards
Matthew
Title: Working for a year, suddenly stopped with include/bugs.inc error.
Post by: DJDarknez on April 05, 2009, 10:22:40 PM
Sure enough, I got it too.  I can't even begin to tell you how much this pisses me off.