Houps, forgot to mail the list PS: Fail2ban seem to be very busy today...
173.45.68.130 - - [09/Jan/2009:14:37:38 +0100] "GET /nonexistenshit HTTP/1.1" 404 274 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5" 173.45.68.130 - - [09/Jan/2009:14:37:38 +0100] "GET /mail/bin/msgimport HTTP/1.1" 404 278 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5" 173.45.68.130 - - [09/Jan/2009:14:37:38 +0100] "GET /bin/msgimport HTTP/1.1" 404 273 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5" 173.45.68.130 - - [09/Jan/2009:14:37:38 +0100] "GET /rc/bin/msgimport HTTP/1.1" 404 276 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5" 173.45.68.130 - - [09/Jan/2009:14:37:38 +0100] "GET /roundcube/bin/msgimport HTTP/1.1" 404 283 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5" 173.45.68.130 - - [09/Jan/2009:14:37:38 +0100] "GET /webmail/bin/msgimport HTTP/1.1" 404 281 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5" etc... ---- Maybe msgimport is used to test html2text.php presence ? It's a shell script. Websevers won't execute it but simply return the content as it's was a simple text file.. no ? Regards, On Fri, 09 Jan 2009 15:35:44 +0200, Gokdeniz Karadag <[email protected]> wrote: > There have been reports regarding botnet scans for msgimport.sh > The file should be investigated for security breaches. > > the preg_replace at get_opt seems fishy but I was not able to inject > commands > to it. > > http://stateofsecurity.com/?p=550 > http://isc.sans.org/diary.html?storyid=5599&rss > http://www.linode.com/forums/archive/o_t/t_3796/roundcube_webmail_scanning.html > http://zastita.com/015038/roundcube-webmail-.html > _______________________________________________ > List info: http://lists.roundcube.net/dev/ -- Maximilien Cuony [The_Glu] http://theglu.org _______________________________________________ List info: http://lists.roundcube.net/dev/
