Possible security problem

[jpargudo]

Hi all,

I got a "dedibox" (a personal server hosted in france by Free). It runs Ubuntu Server in intrepid version.

Everything is up-to-date.

Kernel version: (ubuntu package)
Linux home 2.6.27-11-generic #1 SMP Thu Jan 29 19:24:39 UTC 2009 i686 GNU/Linux

Apache version: (ubuntu package)
Version: 2.2.9-7ubuntu3

php5 version: (ubuntu package)
PHP 5.2.6-2ubuntu4 with Suhosin-Patch 0.9.6.2 (cli) (built: Oct 14 2008 20:06:32)

Roundcube installed version (Ubuntu package)
Version: 0.1.1-7

Please ask me if you need more info about my system.

Since early february, I'm searching for the "hole" in my box that allows some intruder bots to upload things in /tmp. (like this one, I saw in error.log from apache:
​http://www.freewebs.com/spaniola/flood.txt (don't understand why this is still online, I already sent days ago to the admins of this site to close this webpage!)).

I got other versions of this file, and others things.

What I've done quickly is to change permissions on wget as only root now can use it. (wget was used to upload the file)... I also changed other things I won't explain here.

I also wrote a perl script to tidy up things periodically. I won't tell here the content of this script, for evident security issues.

So I'm *half hacked*. It means someones uses a hole somewhere in my web applications to upload such a file, and execute it.

I let the box as is, to find where is the hole.

I'm not saying Roundcube has security problems, but *It may* be one of the possible security holes, look what I've seen today.

It's in /var/log/user.log file:

Feb 4 01:05:36 home apache2: PHP Warning: include(/tmp/ku.txt) [<a href='function.include'>function.include</a>]: failed to open stream: No such file or directory in /usr/share/roundcube/program/lib/html2text.inc(381) : regexp code(1) : eval()'d code on line 1

Feb 4 01:05:36 home apache2: PHP Warning: include() [<a href='function.include'>function.include</a>]: Failed opening '/tmp/ku.txt' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /usr/share/roundcube/program/lib/html2text.inc(381) : regexp code(1) : eval()'d code on line 1

Feb 5 17:01:07 home apache2: PHP Warning: include(/tmp/ku.txt) [<a href='function.include'>function.include</a>]: failed to open stream: No such file or directory in /usr/share/roundcube/program/lib/html2text.inc(381) : regexp code(1) : eval()'d code on line 1

Feb 5 17:01:07 home apache2: PHP Warning: include() [<a href='function.include'>function.include</a>]: Failed opening '/tmp/ku.txt' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /usr/share/roundcube/program/lib/html2text.inc(381) : regexp code(1) : eval()'d code on line 1

Feb 6 22:23:04 home apache2: PHP Warning: include(/tmp/raz.txt) [<a href='function.include'>function.include</a>]: failed to open stream: No such file or directory in /usr/share/roundcube/program/lib/html2text.inc(381) : regexp code(1) : eval()'d code on line 1

Feb 6 22:23:04 home apache2: PHP Warning: include() [<a href='function.include'>function.include</a>]: Failed opening '/tmp/raz.txt' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /usr/share/roundcube/program/lib/html2text.inc(381) : regexp code(1) : eval()'d code on line 1

Those text files (eg ku.txt) are in fact PHP programs that open a remote shell, giving access to the machine, remotely, using the apache user.

Despite apache user is "/bin/false", the program can run !?

I assume my problem may be really elsewhere in my config or programs (apache, php... there are a lot of things).

But since the "attacker" seems to deal with "usr/share/roundcube/program" I just wanted to warn you of a possible security problem, somewhere.

I add that I will follow this ticket, don't hesitate in asking me more info.

Cheers!

[alec]

You should update your roundcube installation. Vulnerability was fixed in 0.2-stable, see #1485618.