Is it security hole in roundcube?!

wnd · May 13, 2009, 06:36:28 PM

All of a sudden server start to generate huge amount of mail traffic(spam).

roundcube sendmail log shows me:

[13-May-2009 06:07:37 -0500]: [13-May-2009 06:07:37 -0500] User: 2 on 217.194.14
7.131; Message for undisclosed-recipients:;;
[13-May-2009 06:14:11 -0500]: [13-May-2009 06:14:11 -0500] User: 2 on 217.194.147.131; Message for undisclosed-recipients:;;
[13-May-2009 08:03:13 -0500]: [13-May-2009 08:03:13 -0500] User: 2 on 213.255.218.244; Message for undisclosed-recipients:;;

217.194.147.131, 213.255.218.244 - is not my client addresses

apache access log

Code Select

217.194.147.131 - - [13/May/2009:16:57:22 -0500] "GET /?_task=mail&_action=check-recent&_t=1242252267513&_list=1&_quota=1&_remote=1 HTTP/1.1" 200 87
217.194.147.131 - - [13/May/2009:16:57:42 -0500] "GET /?_task=mail&_action=check-recent&_t=1242252286888&_list=1&_quota=1&_remote=1 HTTP/1.1" 200 87
217.194.147.131 - - [13/May/2009:16:58:25 -0500] "GET /?_task=mail&_action=check-recent&_t=1242252327528&_list=1&_quota=1&_remote=1 HTTP/1.1" 200 754
217.194.147.131 - - [13/May/2009:16:58:42 -0500] "GET /?_task=mail&_action=check-recent&_t=1242252346898&_list=1&_quota=1&_remote=1 HTTP/1.1" 200 87
217.194.147.131 - - [13/May/2009:16:59:25 -0500] "GET /?_task=mail&_action=check-recent&_t=1242252387533&_list=1&_quota=1&_remote=1 HTTP/1.1" 200 762
217.194.147.131 - - [13/May/2009:16:59:42 -0500] "GET /?_task=mail&_action=check-recent&_t=1242252406908&_list=1&_quota=1&_remote=1 HTTP/1.1" 200 87
217.194.147.131 - - [13/May/2009:17:00:23 -0500] "GET /?_task=mail&_action=check-recent&_t=1242252447550&_list=1&_quota=1&_remote=1 HTTP/1.1" 200 87
217.194.147.131 - - [13/May/2009:17:00:48 -0500] "GET /?_task=mail&_action=check-recent&_t=1242252466920&_list=1&_quota=1&_remote=1 HTTP/1.1" 200 87

The question is is it security hole in RoundCube or just server miscofigured.

I'm using postfix+mysql+postfixadmin+roundcube configuration.

P.S. I can provide more information
P.P.S. Roundcube version Latest release: v0.2.1

rosali · May 14, 2009, 12:49:35 AM

RoundCube is secure, IMO. In your case it looks like a spammer has cracked an account on your server (username and password).

Both IP's are blacklisted on various DNS blacklists (Email Blacklist Check - See if your server is blacklisted).

He is sending out spam using only the BCC recipents. Enable logging of successful user logins and close affected accounts.

wnd · May 14, 2009, 09:55:29 AM

Quote from: rosali;19005RoundCube is secure, IMO. In your case it looks like a spammer has cracked an account on your server (username and password).

He is sending out spam using only the BCC recipents. Enable logging of successful user logins and close affected accounts.

rosali, thank you for your reply. I came up with the same idea and, indeed, one of users got virus on computer. I disabled suspicious account and now it looks fine. So far so good

I use roundcube on all my servers as webmail client and never had any problems. I'm glad it's stays the same way.

Regards,
wnd