Remove RoundCube, use squirrelmail. Check your http log, you probably find successful attack on RC (POST method). For example: "POST /roundcube/bin/html2text.php HTTP/1.0"
I got this log from apache. 143.127.102.144 - - [27/Jul/2009:02:23:55 +0700] "POST http://143.127.103.23:25/ HTTP/1.0" 302 - "-" "-" 195.4.92.4 - - [14/Aug/2009:01:00:44 +0700] "CONNECT mtrap.freenet.de:25 HTTP/1.0" 302 - "-" "-" 195.4.92.4 - - [14/Aug/2009:01:00:45 +0700] "PUT http://mtrap.freenet.de:25 HTTP/1.0" 302 - "-" "-" 195.4.92.4 - - [14/Aug/2009:01:00:46 +0700] "PUT http://mail.panentour.com:25 HTTP/1.0" 302 - "-" "-" 195.4.92.4 - - [14/Aug/2009:01:00:47 +0700] "PUT http://localhost:25 HTTP/1.0" 302 - "-" "-" 195.4.92.4 - - [14/Aug/2009:01:00:47 +0700] "POST http://mtrap.freenet.de:25 HTTP/1.0" 302 - "-" "-" 195.4.92.4 - - [14/Aug/2009:01:00:48 +0700] "POST http://mail.panentour.com:25 HTTP/1.0" 302 - "-" "-" 195.4.92.4 - - [14/Aug/2009:01:00:49 +0700] "POST http://localhost:25 HTTP/1.0" 302 - "-" "-" and check http error.log, if you find something like "saved" your server is hacked. :( Check do you have /etc/ssh2 or strange directory in /tmp. Tripwire could help you but IMHO it's too late. --------------------------------------------------------------------------------- Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! --------------------------------------------------------------------------------- Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
