roundcube exploit to upload spam-bot through html2text

Bug #317293 reported by Leon van der Ree
254
Affects Status Importance Assigned to Milestone
roundcube (Ubuntu)
New
Undecided
Unassigned

Bug Description

Binary package hint: roundcube

My Ubuntu 8.10 system has been hacked through roundcube 0.1.1 (from ubuntu repository)

this exploit is possibly solved in roundcube 0.2-beta, see http://www.roundcubeforum.net/news-announcements/3964-roundcube-news-security-update-0-2-beta.html#post16373 for more info

I can provide the following logs:

apache access log:
62.193.202.XX - - [12/Jan/2009:21:48:13 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 759 "-" "-"
62.193.202.XX - - [12/Jan/2009:21:48:27 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 180 "-" "-"
(these are the only two actions performed as can be found in my apache-log)

in my syslog I can see:
Jan 12 21:48:29 fun4me crontab[10065]: (www-data) REPLACE (www-data)
Jan 12 21:48:29 fun4me crontab[10066]: (www-data) LIST (www-data)

crontab -u www-data -l gives me:
* * * * * /var/tmp/.ICE-unix/.../.tmp/data/mysqld-lock >/dev/null 2>&1

and ls -l /var/tmp/.ICE-unix/.../.tmp/data/ gives me:
-rw-r--r-- 1 www-data www-data 71 2009-01-12 21:48 cron.d
drwxr-xr-x 2 www-data www-data 4096 2009-01-12 21:48 home
-rwxr-xr-x 1 www-data www-data 1063697 2008-01-20 16:42 mysqld
-rw-r--r-- 1 www-data www-data 33 2009-01-12 21:48 mysqld.dir
-rwxr-xr-x 1 www-data www-data 178 2008-01-20 16:42 mysqld-exec
-rwxr-xr-x 1 www-data www-data 359 2008-01-20 16:42 mysqld-install
-rwxr--r-- 1 www-data www-data 244 2009-01-12 21:48 mysqld-lock
-rw-rw-rw- 1 www-data www-data 6 2009-01-12 21:48 mysqld.pid
-rwxr-xr-x 1 www-data www-data 21516 2008-01-20 16:42 xh

xh gets detected as HackTool.Linux.ProcHider.a Viruslist.com - HackTool.Linux.ProcHider.a
I guess mysqld is a virus as well, but it does not get detected (yet)

I can provide the virus itself as well... But will not send it publicly

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.