Roundcube may not be safe
Posted: Sun Apr 08, 2018 8:22 am
Today my VPS was suspended due to Spam over smtp via Roundcube.
Most likely that somehow hacker gained access to root shell. Here are the logs. Be careful and check your servers.
/usr/bin/qrttoppm
/usr/bin/yuvtoppm
/usr/bin/xbmtopbm
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
update 31830 root cwd DIR 8,1 4096 396760 /var/lib/roundcube
update 31830 root rtd DIR 8,1 4096 2 /
update 31830 root txt REG 8,1 625611 918560 /tmp/update
update 31830 root 0u CHR 1,3 0t0 6 /dev/null
update 31830 root 1u CHR 1,3 0t0 6 /dev/null
update 31830 root 2u CHR 1,3 0t0 6 /dev/null
update 31830 root 3u IPv4 7540080 0t0 TCP 13e5.k.hostens.cloud:57616->209.141.61.140:smtp (ESTABLISHED)
update 31830 root 41r FIFO 0,10 0t0 4447782 pipe
update 31830 root 42w FIFO 0,10 0t0 4447782 pipe
update 31830 root 43r FIFO 0,10 0t0 4447783 pipe
update 31830 root 44w FIFO 0,10 0t0 4447783 pipe
Most likely that somehow hacker gained access to root shell. Here are the logs. Be careful and check your servers.
/usr/bin/qrttoppm
/usr/bin/yuvtoppm
/usr/bin/xbmtopbm
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
update 31830 root cwd DIR 8,1 4096 396760 /var/lib/roundcube
update 31830 root rtd DIR 8,1 4096 2 /
update 31830 root txt REG 8,1 625611 918560 /tmp/update
update 31830 root 0u CHR 1,3 0t0 6 /dev/null
update 31830 root 1u CHR 1,3 0t0 6 /dev/null
update 31830 root 2u CHR 1,3 0t0 6 /dev/null
update 31830 root 3u IPv4 7540080 0t0 TCP 13e5.k.hostens.cloud:57616->209.141.61.140:smtp (ESTABLISHED)
update 31830 root 41r FIFO 0,10 0t0 4447782 pipe
update 31830 root 42w FIFO 0,10 0t0 4447782 pipe
update 31830 root 43r FIFO 0,10 0t0 4447783 pipe
update 31830 root 44w FIFO 0,10 0t0 4447783 pipe