Roundcube may not be safe
Roundcube may not be safe
Today my VPS was suspended due to Spam over smtp via Roundcube.
Most likely that somehow hacker gained access to root shell. Here are the logs. Be careful and check your servers.
/usr/bin/qrttoppm
/usr/bin/yuvtoppm
/usr/bin/xbmtopbm
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
update 31830 root cwd DIR 8,1 4096 396760 /var/lib/roundcube
update 31830 root rtd DIR 8,1 4096 2 /
update 31830 root txt REG 8,1 625611 918560 /tmp/update
update 31830 root 0u CHR 1,3 0t0 6 /dev/null
update 31830 root 1u CHR 1,3 0t0 6 /dev/null
update 31830 root 2u CHR 1,3 0t0 6 /dev/null
update 31830 root 3u IPv4 7540080 0t0 TCP 13e5.k.hostens.cloud:57616->209.141.61.140:smtp (ESTABLISHED)
update 31830 root 41r FIFO 0,10 0t0 4447782 pipe
update 31830 root 42w FIFO 0,10 0t0 4447782 pipe
update 31830 root 43r FIFO 0,10 0t0 4447783 pipe
update 31830 root 44w FIFO 0,10 0t0 4447783 pipe
Most likely that somehow hacker gained access to root shell. Here are the logs. Be careful and check your servers.
/usr/bin/qrttoppm
/usr/bin/yuvtoppm
/usr/bin/xbmtopbm
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
update 31830 root cwd DIR 8,1 4096 396760 /var/lib/roundcube
update 31830 root rtd DIR 8,1 4096 2 /
update 31830 root txt REG 8,1 625611 918560 /tmp/update
update 31830 root 0u CHR 1,3 0t0 6 /dev/null
update 31830 root 1u CHR 1,3 0t0 6 /dev/null
update 31830 root 2u CHR 1,3 0t0 6 /dev/null
update 31830 root 3u IPv4 7540080 0t0 TCP 13e5.k.hostens.cloud:57616->209.141.61.140:smtp (ESTABLISHED)
update 31830 root 41r FIFO 0,10 0t0 4447782 pipe
update 31830 root 42w FIFO 0,10 0t0 4447782 pipe
update 31830 root 43r FIFO 0,10 0t0 4447783 pipe
update 31830 root 44w FIFO 0,10 0t0 4447783 pipe
Re: Roundcube may not be safe
its depends on certain php configurations, it is safe under vesta
Re: Roundcube may not be safe
since your are suspended because until yesterday there was an exploit in vesta and today it is fixed