Last Updated: 2008-12-31 15:27:29 UTC
by David Goldsmith (Version: 1)
Reader Nathan who sent us information about the Roundcube html2text.php vulnerability last week (see our previous diary here) has written in again about a new scan he is seeing for the "msgimport" binary included with Roundcube. Nathan writes:
In regard to the Roundcube vulnerability it appears that attackers are now actively scanning for the presence of Roundcube with a specific user agent. It may be possible to craft a mod_security or fail2ban rule to match against this user agent. Two separate users have reported the scanning as well on separate ARIN netblocks. I have seen these scans first-hand on my webserver. Scans appear to originate from 18.104.22.168/18 with specific allocation details of "Assigned to customer 504". I don't think customer 504 is very nice :)
The User-Agent is in Romanian and translates, "All my love for the devil girl". Do you have any additional information regarding this user-agent and/or the specific vulnerability relating to msgimport? This does not appear to be the same vulnerability regarding code execution in html2text.php. I don't have additional behavior from the clients in the logs due to fail2ban taking action (HTTP 403 on connections without a host-header w/immediate fail2ban). Googling shows that scanning for this vulernability appears to have started around Dec 20th.
default 22.214.171.124 - - [29/Dec/2008:15:52:57 -0600] "GET HTTP/1.1 HTTP/1.1" 400 226 "-" "Toata dragostea mea pentru diavola"
default 126.96.36.199 - - [29/Dec/2008:15:52:57 -0600] "GET /roundcube//bin/msgimport HTTP/1.1" 403 226 "-" "Toata dragostea mea pentru diavola"
188.8.131.52 - - [30/Dec/2008:14:03:28 -0600] "GET /roundcube//bin/msgimport HTTP/1.1" 404 291 "-" "Toata dragostea mea pentru diavola"
Nathan, thanks for the information about the scanning and have a happy New Year.