Re: [RCU] spam bot using roundcube possibility
hello, On 04/21/2011 02:29 PM, Jim Pazarena wrote: Incidentally, I found a SECOND roundcube 'hack'. Hundreds more spam sent out thru roundcube. yes I did see it on one of my installations too, but they used a few account with weak password to send spam; after my monitoring system rasised the alarm (actually for a strange amount of deferred mail) I discovered this and changed the accounts password I never see the spammer again on this roundcube. so it was not a roundcube problem, as roundcube was abused with correct credentials. -- bye, emilio -- List info: http://lists.roundcube.net/users/ BT/8f4f07cd
Re: [RCU] spam bot using roundcube possibility
But what about your mailbox users? It's important to know if Roundcube was hacked or if a privileged user was used to send automatic e-mails. It already happened to me that I received an e-mail from BSI (German Federal Office for Information Security) warning me about an online list which contained username and password credentials of mailbox users, some of them also sitting on my hosting server. What if you block the affected user or change his mailbox password? What happens then? Do the hacks/attacks/automated mails stop? On Thu, Apr 21, 2011 at 2:29 PM, Jim Pazarena roundc...@paz.bz wrote: On 2011-04-20 1:03 PM, Arthur Titeica wrote: On Thu, 17 Mar 2011 14:53:00 -0700, Jim Pazarena wrote: I recently discovered a hacker (IP: 41.211.223.83) ALL SHOULD BLACKLIST who signed on to my roundcube system with login credentials of a legitimate user, and used roundcube to send out 82 emails (junk I have a proposal for you) to hundreds of recipients EACH. comments please! What roundcube version you have? this was 0.5 I recently upgraded to 0.5.1 Incidentally, I found a SECOND roundcube 'hack'. Hundreds more spam sent out thru roundcube. What concerns me is that the attack seemed automated in that the number of emails in the short time spam could not have been injected manually. Suggesting a bot of some sort automatically inserting the spam thru the web interface. -- List info: http://lists.roundcube.net/users/ BT/86b78bab -- List info: http://lists.roundcube.net/users/ BT/8f4f07cd
Re: [RCU] spam bot using roundcube possibility
I had the same situation several times... The problem was in the weak passwords where the username and the password was the same or almost the same. Later I made a small changes in the password policy so the stupid users can't choose weak passwords (8chr min, at least one uppercase, one lowercase, one number) On 04/21/2011 02:29 PM, Jim Pazarena wrote: On 2011-04-20 1:03 PM, Arthur Titeica wrote: On Thu, 17 Mar 2011 14:53:00 -0700, Jim Pazarena wrote: I recently discovered a hacker (IP: 41.211.223.83) ALL SHOULD BLACKLIST who signed on to my roundcube system with login credentials of a legitimate user, and used roundcube to send out 82 emails (junk I have a proposal for you) to hundreds of recipients EACH. comments please! What roundcube version you have? this was 0.5 I recently upgraded to 0.5.1 Incidentally, I found a SECOND roundcube 'hack'. Hundreds more spam sent out thru roundcube. What concerns me is that the attack seemed automated in that the number of emails in the short time spam could not have been injected manually. Suggesting a bot of some sort automatically inserting the spam thru the web interface. -- List info: http://lists.roundcube.net/users/ BT/8f4f07cd
Re: [RCU] spam bot using roundcube possibility
On 03/17/2011 10:53 PM, Jim Pazarena wrote: I recently discovered a hacker (IP: 41.211.223.83) ALL SHOULD BLACKLIST who signed on to my roundcube system with login credentials of a legitimate user, and used roundcube to send out 82 emails (junk I have a proposal for you) to hundreds of recipients EACH. Spamming thousands of people! I enforce SSL connectivity. This felon logged in twice, @13:49 and 15:31. But without a log OUT time, I can't tell if this felon sat there cutting and pasting, or if was an automated attack. Question: are there BOTS which can do this automatically? This has me furious, and wonder just how anal I have to get checking roundcube logins? comments please! How many user accounts were affected, or was it only one? Have you got any log files on how your RoundCube install was compromised, or was it RC? Perhaps, it was mysql, or another vector? Are sure that the user of the comprised account was not a victim of a virus/key-logger/phishing attack? Regards. -- List info: http://lists.roundcube.net/users/ BT/8f4f07cd