Go Back   SolidHost Forums Support Forums Security Questions

Reply
 
Thread Tools Display Modes
Old Feb 16th, 2009, 08:28   #1
iamback
Customer
 
Join Date: May 2007
Posts: 11
Exclamation Code injection via RoundCube

Yesterday, I found my server had been compromised with a code injection, making use of a vulnerability in RoundCube.

References:This lists them as I found them - but note the last thread is from December. And note that any version of RoundCube before 0.2-stable is vulnerable.

I should also mention that I have never used RoundCube - I just happened to stumble over this while investigating how to set up email (so far I have only web sites working). So what there was was simply exactly what was installed by default with DirectAdmin.

I made a ticket (YUG-62160) and asked tech support to remove the injected code and upgrade RoundCube to the latest 0.2-stable. At that time (around 3:30 yesterday afternoon) I'd only found the first reference at the RC site. As I dug further, I found the other threads at the DA forum. Shortly before 6:00 RoundCube had been updated to 0.2 - but I found it was not functional, and so far that is still the status.

I'm posting here for three reasons:
  1. Mostly, a heads-up to all users of DirectAdmin who may have a vulnerable version of RoundCube on their VPS
  2. To express my disappointment that apparently SoldHost was not aware of this vulnerability, and warned their customers about it
  3. To express my amazement that it takes so long for Tech Support to replace RoundCube with a working installation of version 2.0 (the forum threads I linked to in my ticket mention various problems getting it to work - which is precisely why I didn't try to do it myself!)

I hope this is at least useful to someone.
iamback is offline   Reply With Quote
Old Feb 16th, 2009, 13:04   #2
iamback
Customer
 
Join Date: May 2007
Posts: 11
Default

Update: RoundCube is now operational again om my VPS.
iamback is offline   Reply With Quote
Old Feb 16th, 2009, 14:40   #3
SH-Andre
SolidHost Crew
 
Join Date: Sep 2001
Posts: 850
Default

Quote:
Originally Posted by iamback View Post
[*]To express my disappointment that apparently SoldHost was not aware of this vulnerability, and warned their customers about it
Please note that when this vulnerability was detected at the end of December 2008, we have sent out a mailing to all customers that have a VPS or dedicated server with DirectAdmin with us. In that email, full instructions were included on how to patch this security problem. For customers with pro-active support, this problem was fixed immediately (pro-actively).

If you haven't received that message, it may have ended up in your spam filter. In that case I would highly recommend to whitelist *@solidhost.com to ensure that you always receive our messages.

-----------------
Andre van Vliet
SolidHost Administrators

Solid as a Rock
SH-Andre is offline   Reply With Quote
Old Feb 16th, 2009, 14:53   #4
iamback
Customer
 
Join Date: May 2007
Posts: 11
Default

Andre,

Thanks, I'm very glad to hear you did send out an email!

Unfortunately, I didn't get it! (If it ended up in a spam filter, it's long gone now.)

Still, I wonder: if you had full instructions, why did it take so much time for tech support to to get RC back to a working state? It's fixed now, but usually problems are fixed much speedier.
iamback is offline   Reply With Quote
Old Feb 16th, 2009, 20:56   #5
SH-Andre
SolidHost Crew
 
Join Date: Sep 2001
Posts: 850
Default

I have no idea, perhaps there were some unusual circumstances which made it harder to fix. If you can tell me the ticket ID I'll see whether I can find out.

-----------------
Andre van Vliet
SolidHost Administrators

Solid as a Rock
SH-Andre is offline   Reply With Quote
Old Feb 18th, 2009, 06:44   #6
iamback
Customer
 
Join Date: May 2007
Posts: 11
Default

Andre, see my first post: YUG-62160.
iamback is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT +2. The time now is 11:18.