jonathanc
Verified User
- Joined
- Aug 18, 2007
- Messages
- 47
r57 script installed
I think the vulnerability may have enabled installation of a rootkit on one of our DA servers. rkhunter reports SHV4/SHV5 installation on this server.
Eventually tracked down a r.php file (which is actually the r57 script) in the temp folder of my roundcube installation. Still looking for a full trail but I am assuming this is part of a roundcube vulnerability exploitation and helped enable root access.
Can anyone confirm that is a likely use of the roundcube vulnerability.
For information, the intruders were running many instances of ftp_scanner software, as root, to dictionary attack ftp servers.
I think the vulnerability may have enabled installation of a rootkit on one of our DA servers. rkhunter reports SHV4/SHV5 installation on this server.
Eventually tracked down a r.php file (which is actually the r57 script) in the temp folder of my roundcube installation. Still looking for a full trail but I am assuming this is part of a roundcube vulnerability exploitation and helped enable root access.
Can anyone confirm that is a likely use of the roundcube vulnerability.
For information, the intruders were running many instances of ftp_scanner software, as root, to dictionary attack ftp servers.