I got hacked, via RoundCube

So for the last couple of weeks or so, there has been potentially participating in DDOS attacks (more likely it was sending spam, actually), unbeknownst to me until today. Well, it explains some of the server instability I’ve been having lately.

For some reason, Apache had been dying on me every few days.

I finally looked in my error.log file, and saw the output of wget, downloading a file called k.c from http://66.90.103.116/k.c (they’ve taken it down since, sometime within the last couple of hours. Perhaps they noticed my poking around at their server). Anyway, somehow they were getting in through apache somewhere, downloading this file, compiling it, and running it.

The code itself (a derivative of kaiten.c logs into an IRC server and watches for commands on which servers to attack or commands to run.

I eventually located the point of entry as a bug in the version of Roundcube webmail I was running. I was running a really old version of it (something like version 0.1 beta, I think), and all it took was an apt-get install of the latest version and the security hole is gone.

I’m going to add the news feeds of any software I’m using on this server to my RSS reader in the hopes that I will find out about such security holes (or at least software updates) a bit sooner in the future. I’ll also try to make it a habit to do a apt-get upgrade more often as well.

EDIT: I’ve set up cron-apt as suggested, so that should help me keep things up to date.