Roundcube webmail scanning

I am being hammered from about 30 different IPs starting a few hours ago scanning for some vulnerability I assume. So head's up if you are running Roundcude webmail…. My ossec software has been blocking after 10 attempts.

An example:

91.121.143.70 - - [08/Jan/2009:09:32:11 -0500] "GET /webmail/bin/msgimport HTTP/1.1" 404 298 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
91.121.143.70 - - [08/Jan/2009:09:32:11 -0500] "GET /roundcube/bin/msgimport HTTP/1.1" 404 300 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
91.121.143.70 - - [08/Jan/2009:09:32:11 -0500] "GET /rc/bin/msgimport HTTP/1.1" 404 293 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
91.121.143.70 - - [08/Jan/2009:09:32:11 -0500] "GET /webmail/bin/msgimport HTTP/1.1" 404 298 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
91.121.143.70 - - [08/Jan/2009:09:32:11 -0500] "GET /roundcube/bin/msgimport HTTP/1.1" 404 300 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
91.121.143.70 - - [08/Jan/2009:09:32:11 -0500] "GET /rc/bin/msgimport HTTP/1.1" 404 293 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
91.121.143.70 - - [08/Jan/2009:09:32:11 -0500] "GET /bin/msgimport HTTP/1.1" 404 290 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
91.121.143.70 - - [08/Jan/2009:09:32:11 -0500] "GET /mail/bin/msgimport HTTP/1.1" 404 295 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
91.121.143.70 - - [08/Jan/2009:09:32:10 -0500] "GET /nonexistenshit HTTP/1.1" 404 291 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
91.121.143.70 - - [08/Jan/2009:09:32:11 -0500] "GET /bin/msgimport HTTP/1.1" 404 290 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"

6 Replies

Me too! I'm full of this scanning! My apache log have this kind of log for almost 24h >_<

And i have the same even for Phpmyadmin.

 [Tue Jan 06 02:00:09 2009] [error] [client 87.237.209.238] File does not exist: /var/www/admin
[Tue Jan 06 02:00:09 2009] [error] [client 87.237.209.238] File does not exist: /var/www/admin
[Tue Jan 06 02:00:10 2009] [error] [client 87.237.209.238] File does not exist: /var/www/admin
[Tue Jan 06 02:00:10 2009] [error] [client 87.237.209.238] File does not exist: /var/www/phpmyadmin
[Tue Jan 06 02:00:10 2009] [error] [client 87.237.209.238] File does not exist: /var/www/phpMyAdmin
[Tue Jan 06 02:00:10 2009] [error] [client 87.237.209.238] File does not exist: /var/www/db
[Tue Jan 06 02:00:10 2009] [error] [client 87.237.209.238] File does not exist: /var/www/web
[Tue Jan 06 02:00:11 2009] [error] [client 87.237.209.238] File does not exist: /var/www/PMA
[Tue Jan 06 02:00:11 2009] [error] [client 87.237.209.238] File does not exist: /var/www/admin
[Tue Jan 06 02:00:11 2009] [error] [client 87.237.209.238] File does not exist: /var/www/mysql
[Tue Jan 06 02:00:11 2009] [error] [client 87.237.209.238] File does not exist: /var/www/myadmin
[Tue Jan 06 02:00:12 2009] [error] [client 87.237.209.238] File does not exist: /var/www/webadmin
[Tue Jan 06 02:00:12 2009] [error] [client 87.237.209.238] File does not exist: /var/www/sqlweb
[Tue Jan 06 02:00:12 2009] [error] [client 87.237.209.238] File does not exist: /var/www/websql
[Tue Jan 06 02:00:12 2009] [error] [client 87.237.209.238] File does not exist: /var/www/webdb
[Tue Jan 06 02:00:13 2009] [error] [client 87.237.209.238] File does not exist: /var/www/mysqladmin
[Tue Jan 06 02:00:13 2009] [error] [client 87.237.209.238] File does not exist: /var/www/mysql-admin
[Tue Jan 06 02:00:13 2009] [error] [client 87.237.209.238] File does not exist: /var/www/phpmyadmin2
[Tue Jan 06 02:00:13 2009] [error] [client 87.237.209.238] File does not exist: /var/www/php-my-admin
[Tue Jan 06 02:00:13 2009] [error] [client 87.237.209.238] File does not exist: /var/www/phpMyAdmin-2.2.3
[Tue Jan 06 02:00:14 2009] [error] [client 87.237.209.238] File does not exist: /var/www/phpMyAdmin-2.2.6
[Tue Jan 06 02:00:14 2009] [error] [client 87.237.209.238] File does not exist: /var/www/phpMyAdmin-2.5.1
[Tue Jan 06 02:00:14 2009] [error] [client 87.237.209.238] File does not exist: /var/www/phpMyAdmin-2.5.4
[Tue Jan 06 02:00:14 2009] [error] [client 87.237.209.238] File does not exist: /var/www/phpMyAdmin-2.5.6
[Tue Jan 06 02:00:15 2009] [error] [client 87.237.209.238] File does not exist: /var/www/phpMyAdmin-2.6.0
[Tue Jan 06 02:00:15 2009] [error] [client 87.237.209.238] File does not exist: /var/www/phpMyAdmin-2.6.0-pl1
[Tue Jan 06 02:00:15 2009] [error] [client 87.237.209.238] File does not exist: /var/www/phpMyAdmin-2.6.2-rc1
[Tue Jan 06 02:00:15 2009] [error] [client 87.237.209.238] File does not exist: /var/www/phpMyAdmin-2.6.3
[Tue Jan 06 05:48:32 2009] [error] [client 81.180.165.23] File does not exist: /var/www/signup_page.php
[Tue Jan 06 05:48:33 2009] [error] [client 81.180.165.23] File does not exist: /var/www/mantis
[Tue Jan 06 05:48:34 2009] [error] [client 81.180.165.23] File does not exist: /var/www/mantis
[Tue Jan 06 05:48:35 2009] [error] [client 81.180.165.23] File does not exist: /var/www/mantis 

[Fri Jan 09 19:18:31 2009] [error] [client 63.247.72.26] File does not exist: /var/www/nonexistenshit
[Fri Jan 09 19:18:31 2009] [error] [client 63.247.72.26] File does not exist: /var/www/mail
[Fri Jan 09 19:18:32 2009] [error] [client 63.247.72.26] File does not exist: /var/www/bin
[Fri Jan 09 19:18:33 2009] [error] [client 63.247.72.26] File does not exist: /var/www/rc
[Fri Jan 09 19:18:35 2009] [error] [client 63.247.72.26] File does not exist: /var/www/roundcube
[Fri Jan 09 19:18:35 2009] [error] [client 63.247.72.26] File does not exist: /var/www/webmail
[Fri Jan 09 20:07:56 2009] [error] [client 212.95.32.211] File does not exist: /var/www/nonexistenshit
[Fri Jan 09 20:07:57 2009] [error] [client 212.95.32.211] File does not exist: /var/www/mail
[Fri Jan 09 20:07:57 2009] [error] [client 212.95.32.211] File does not exist: /var/www/bin
[Fri Jan 09 20:07:57 2009] [error] [client 212.95.32.211] File does not exist: /var/www/rc
[Fri Jan 09 20:07:57 2009] [error] [client 212.95.32.211] File does not exist: /var/www/roundcube
[Fri Jan 09 20:07:57 2009] [error] [client 212.95.32.211] File does not exist: /var/www/webmail

So, what do you guys suggest to prevent this?

Active Scans for Roundcube Vulnerabilities, Possible 0-Day

If you're running Modsecurity, you can create rules to block this activity. There are several Emerging Threat Snort rules out there (see the link…it has the ET rules linked there). Modsecurity has a perl script that converts Snort rules into Modsecurity rules.

Either that, or create a script that will parse the access_log files, looking for certain strings…make the script add the IPs generating the certain strings to a block list (host.deny or FW rule block).

@dcelasun:

So, what do you guys suggest to prevent this?

I just started dropping all APNIC net blocks. lol. Some RIPE, too.

I did nothing. I'm not getting hit more than 10-20 times a day so it's a negligible amount of traffic.

We've confirmed this is an active exploit for an arbitrary code exploit in RoundCube. Evidence so far points to exploited systems becoming part of a DDoS botnet. There is apparently a fix in the latest release of RoundCube.

-James

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct