Joop Beris wrote:
On Wednesday 04 February 2009 08:39:24 David C. Rankin wrote:
I get roundcube is a mail package, but I don't have it. So why are people looking for it on my web server. Is it a compromised app that people are looking to exploit? Anybody running it?
Scriptkiddies looking for an exploitable installation of roundcube to send spam, most likely. I see them constantly as well. Useragent log tells me that they are using "Morfeus F*cking Scanner" or some such.
Look at fail2ban for ways to foil their nasty plan. :-)
HTH,
Joop
Joop, To have a little fun, I did an experiment. It seems that the hits I get are primarily looking for html2text.php or msgimport.php in the /roundcube/bin directory. So, I took an 8 Meg pdf filing from a court case (it's public record) and renamed it to html2text.php and then linked msgimport.php to it and put it in the /roundcube/bin directory on my server: 11:19 nirvana:/srv/www> l htdocs/roundcube/bin/ total 8132 drwxr-xr-x 2 root root 4096 2009-02-04 01:36 ./ drwxr-xr-x 3 root root 4096 2009-01-30 21:42 ../ -rw-r--r-- 1 root root 8306307 2009-01-30 13:46 html2text.php lrwxrwxrwx 1 root root 13 2009-02-04 01:36 msgimport.php -> html2text.php The apache2/access_log is heartening... -- David C. Rankin, J.D.,P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org