Roundcube vulnerability ??

r57 script installed

I think the vulnerability may have enabled installation of a rootkit on one of our DA servers. rkhunter reports SHV4/SHV5 installation on this server.

Eventually tracked down a r.php file (which is actually the r57 script) in the temp folder of my roundcube installation. Still looking for a full trail but I am assuming this is part of a roundcube vulnerability exploitation and helped enable root access.

Can anyone confirm that is a likely use of the roundcube vulnerability.

For information, the intruders were running many instances of ftp_scanner software, as root, to dictionary attack ftp servers.
 
I think it is unlikely but then again one attack may have led to another attack which gave them root.
 
floyd said:
You have to realize I install DA on average on a weekly basis. I have a file that contains all the things I have to do to not only set DA but all the other things and customizations I have to do. I cannot possibly remember every single thing so I do a lot of copying and pasting.

I paste this line to install DA

Code: 
sh setup.sh UID LID hostname eth0

I edit the UID, LID and hostname. I don't have to answer any question. I don't have to edit any options file or config file.
Click to expand...
I've started a new thread, here, to discuss possible shortcuts to producing DirectAdmin servers. I'm soliciting ideas and hope you'll look at, and respond to, the new post.

Thanks.

Jeff
 
You must log in or register to reply here.
Back
Top