Re: [RCU] Security issue (possible?) (was: RE: Unknown user in users table, very odd, possible security hole)

[Jorge Bastos]

> did you check if there is a matching logon on your imap server?
Yes, the domains that I'm referring to are not hosted here, somewhere else,

  maybe
> enable password logging if you can and log in as his user and see what
> he sees? 
Hum which setting is this? Can't find nothing for logs related to password's

 did you confirm that your roundcube is configured to use the
> correct imap server?
Well yes, but now i'm thinking, i have the imap server set to be dynamic
it's filled with:

mail. + domain.tld

ok this option in Roundcube is grrreeeaaattt, but I think it makes people
use my server for webmail! Damn!

How would I tell Roundcube, to connect just to my ip's?
I could do this via iptables but is some shared hosting user wants to
connect to any imap server he would be blocked

> -----Original Message-----
> From: Computerisms Corporation [mailto:b...@computerisms.ca]
> Sent: sexta-feira, 9 de Fevereiro de 2018 17:13
> To: Roundcube Users mailing list; Jorge Bastos
> Subject: Re: [RCU] Security issue (possible?) (was: RE: Unknown user in
> users table, very odd, possible security hole)
> 
> did you check if there is a matching logon on your imap server?  maybe
> enable password logging if you can and log in as his user and see what
> he sees?  did you confirm that your roundcube is configured to use the
> correct imap server?
> 
> On 2018-02-09 01:33 AM, Jorge Bastos wrote:
> > Ok, another login just right now:
> >
> > Feb  9 09:25:41 fastweb roundcube: <sm6djv7v> Successful login for
> > do...@adhigunaputera.com (ID: 100412) from 110.136.11.0 in session
> > sm6djv7vh6oplo694nff7ng2rp
> >
> > Alec, can you help debugging this?
> >
> > *From:*users-boun...@lists.roundcube.net
> > [mailto:users-boun...@lists.roundcube.net] *On Behalf Of *Jorge
> Bastos
> > *Sent:* 9 de fevereiro de 2018 09:18
> > *To:* 'Roundcube Users mailing list' <users@lists.roundcube.net>
> > *Subject:* [RCU] Security issue (possible?) (was: RE: Unknown user in
> > users table, very odd, possible security hole)
> >
> > ALEC!!!!!!!
> >
> > There’s some security problem in RC I believe!
> >
> > Check this:
> >
> > Feb  9 01:46:44 fastweb roundcube: <ibj96bvb> Successful login for
> > do...@adhigunaputera.com <mailto:do...@adhigunaputera.com> (ID:
> > 100412) from 110.136.11.0 in session ibj96bvbj5akqlt5slpc47ikfb
> >
> > This user doesn’t belong to any of the IMAP accounts, how was he able
> > to login?
> >
> > After the login, there’s some login failed lines:
> >
> > Feb  9 02:47:27 fastweb roundcube: <ibj96bvb> IMAP Error: Login
> failed
> > for do...@adhigunaputera.com <mailto:do...@adhigunaputera.com> from
> > 110.136.11.0. Empty startup greeting (mail.adhigunaputera.com:143) in
> >
> /home/hosting/dhosting.pt/webmail/program/lib/Roundcube/rcube_imap.php
> > on line 196 (POST /webmail/?_task=mail&_action=refresh)
> >
> > Feb  9 02:48:37 fastweb roundcube: <ibj96bvb> IMAP Error: Login
> failed
> > for do...@adhigunaputera.com <mailto:do...@adhigunaputera.com> from
> > 110.136.11.0. Empty startup greeting (mail.adhigunaputera.com:143) in
> >
> /home/hosting/dhosting.pt/webmail/program/lib/Roundcube/rcube_imap.php
> > on line 196 (POST /webmail/?_task=mail&_action=refresh)
> >
> > Feb  9 02:49:47 fastweb roundcube: <ibj96bvb> IMAP Error: Login
> failed
> > for do...@adhigunaputera.com <mailto:do...@adhigunaputera.com> from
> > 110.136.11.0. Empty startup greeting (mail.adhigunaputera.com:143) in
> >
> /home/hosting/dhosting.pt/webmail/program/lib/Roundcube/rcube_imap.php
> > on line 196 (POST /webmail/?_task=mail&_action=refresh
> >
> > (funny the IP is the network IP)
> >
> > What’s the best place to move forward with investigation with this
> > issue, here or dev list?
> >
> > Could you assist me on this?
> >
> > Thank you in advanced,
> >
> > *From:*users-boun...@lists.roundcube.net
> > <mailto:users-boun...@lists.roundcube.net>
> > [mailto:users-boun...@lists.roundcube.net] *On Behalf Of *Hannu
> > Hirvonen
> > *Sent:* 8 de fevereiro de 2018 20:43
> > *To:* users@lists.roundcube.net <mailto:users@lists.roundcube.net>
> > *Subject:* Re: [RCU] Unknown user in users table, very odd, possible
> > security hole
> >
> > On 08.02.2018 22:34, Jorge Bastos wrote:
> >
> >     Not in there but you made me remind about:
> >
> >     // Log successful/failed logins to <log_dir>/userlogins or to
> > syslog
> >
> > That's why I said "something like ...", might have been a bit
> clearer,
> > of course :-)
> >
> > --
> >
> >    Hannu Hirvonen (h...@uwasa.fi
> > <mailto:h...@uwasa.fi>,http://www.uwasa.fi/~hh/)
> >
> >    Computer Centre, University of Vaasa, BOX 700, FI-65101 VAASA,
> > Finland
> >
> >
> >
> > _______________________________________________
> > Roundcube Users mailing list
> > users@lists.roundcube.net
> > http://lists.roundcube.net/mailman/listinfo/users
> >
_______________________________________________
Roundcube Users mailing list
users@lists.roundcube.net
http://lists.roundcube.net/mailman/listinfo/users