roundcube exploit to upload spam-bot through html2text
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
roundcube (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: roundcube
My Ubuntu 8.10 system has been hacked through roundcube 0.1.1 (from ubuntu repository)
this exploit is possibly solved in roundcube 0.2-beta, see http://
I can provide the following logs:
apache access log:
62.193.202.XX - - [12/Jan/
62.193.202.XX - - [12/Jan/
(these are the only two actions performed as can be found in my apache-log)
in my syslog I can see:
Jan 12 21:48:29 fun4me crontab[10065]: (www-data) REPLACE (www-data)
Jan 12 21:48:29 fun4me crontab[10066]: (www-data) LIST (www-data)
crontab -u www-data -l gives me:
* * * * * /var/tmp/
and ls -l /var/tmp/
-rw-r--r-- 1 www-data www-data 71 2009-01-12 21:48 cron.d
drwxr-xr-x 2 www-data www-data 4096 2009-01-12 21:48 home
-rwxr-xr-x 1 www-data www-data 1063697 2008-01-20 16:42 mysqld
-rw-r--r-- 1 www-data www-data 33 2009-01-12 21:48 mysqld.dir
-rwxr-xr-x 1 www-data www-data 178 2008-01-20 16:42 mysqld-exec
-rwxr-xr-x 1 www-data www-data 359 2008-01-20 16:42 mysqld-install
-rwxr--r-- 1 www-data www-data 244 2009-01-12 21:48 mysqld-lock
-rw-rw-rw- 1 www-data www-data 6 2009-01-12 21:48 mysqld.pid
-rwxr-xr-x 1 www-data www-data 21516 2008-01-20 16:42 xh
xh gets detected as HackTool.
I guess mysqld is a virus as well, but it does not get detected (yet)
I can provide the virus itself as well... But will not send it publicly