«
»

I got hacked, via RoundCube

So for the last couple of weeks or so, there has been potentially participating in DDOS attacks (more likely it was sending spam, actually), unbeknownst to me until today. Well, it explains some of the server instability I’ve been having lately.

For some reason, Apache had been dying on me every few days.

I finally looked in my error.log file, and saw the output of wget, downloading a file called k.c from http://66.90.103.116/k.c (they’ve taken it down since, sometime within the last couple of hours. Perhaps they noticed my poking around at their server). Anyway, somehow they were getting in through apache somewhere, downloading this file, compiling it, and running it.

The code itself (a derivative of kaiten.c logs into an IRC server and watches for commands on which servers to attack or commands to run.

I eventually located the point of entry as a bug in the version of Roundcube webmail I was running. I was running a really old version of it (something like version 0.1 beta, I think), and all it took was an apt-get install of the latest version and the security hole is gone.

I’m going to add the news feeds of any software I’m using on this server to my RSS reader in the hopes that I will find out about such security holes (or at least software updates) a bit sooner in the future. I’ll also try to make it a habit to do a apt-get upgrade more often as well.

EDIT: I’ve set up cron-apt as suggested, so that should help me keep things up to date.

Tags: , , , , ,

This entry was posted on Thursday, April 23rd, 2009 at 2:10 am and is filed under PHP, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

6 Responses to “I got hacked, via RoundCube”

  1. aseeon Says:
    April 23rd, 2009 at 2:32 am

    There is something like cron-apt. You might like it :)

  2. pib Says:
    April 23rd, 2009 at 2:41 am

    What does cron-apt do when it needs to update config files? I’d hate to leave something in a broken state because it needed a config file update…

    EDIT: Nevermind, I just read here that it doesn’t install them by default, just downloads them and notifies you about it.

  3. Wells Says:
    April 23rd, 2009 at 10:28 am

    Hey, put yr whole entry in the RSS feed.

  4. pib Says:
    April 23rd, 2009 at 10:52 am

    @Wells, I don’t know if I can make feedburner do that.

    EDIT: Whoops, no, it was wordpress that was doing that. Yeah, I can make it do that, but what about the people who will be annoyed when I post long posts?

  5. till Says:
    April 24th, 2009 at 3:04 am

    I suggest you subscribe to our announce@ mailing list or follow us on Twitter: http://twitter.com/roundcube

    We had a pretty fast turn around on all exploits that were brought to our attention, but this requires users to update too. If you’re using RoundCube through your favorite package manager, this should be a no-brainer since most OS’ notify you on updates (e.g. people mentioned cron-apt before). Regardless, I suggest the above.

    Sorry for your issues!

    Till

  6. pib Says:
    April 24th, 2009 at 3:13 am

    @till: by no means do I blame the RoundCube folks for this, since it was me who went so long without updating my server.

    It’s good to share things like this, though, so other people will be inspired to update their systems, too.

    I’ll follow @roundcube on twitter, thanks!

Leave a Reply