Round Cube Webmail Probes Spreading Rapidly

Our HoneyPoint Security Server deployment has identified a set of 0-day scans and probes against the Round Cube Webmail system.

The probes are originating from infected Linux systems world wide and appear to be spreading rapidly. Infection of systems via a bot-net client or other form of malware is likely. The extent of compromise is currently unknown, but complete compromise or escalation to complete compromise may be possible.

Research and work with the developers is ongoing. Users of Round Cube Webmail systems should take steps to remove their systems from Internet access and/or implement additional controls for monitoring and protection. Removal of the msgimport.sh script file is highly encouraged, though additional entry points may emerge in the future.

New versions of the application may not have the msgimport.sh file present.

The current version of the attack is probing for the following files:

/nonexistenshit

/mail/bin/msgimport

/bin/msgimport

/rc/bin/msgimport

/roundcube/bin/msgimport

/webmail/bin/msgimport

Our HoneyPoint deployment has been reconfigured to trap additional data about this threat and additional information may be available soon. The MSI technical team is working with our clients to ensure they are protected against this and other emerging threats. Our threat detection capability, provided to us by our HoneyPoint line of products gives us uniquely deep insight and visibility into bleeding edge threats. As always, we strive to use that knowledge to protect our clients and the Internet at large.

More information can be found on this issue by following @lbhuston and/or @honeypoint on Twitter. You can also check back on our blog or schedule a call with one of our team members if you have additional needs.

** Update: @around 2:30pm Eastern, the “Toata” bot-net added the signature to its scans as well. In less than 24 hours there are now at least 2 known bot-nets scanning for the issue. Any bets on how long it will take before “morfeus” scans for it too??? Also, note that the URL request from “Toata” has a double // typo in it….

** Another Update: Syhunt has added tests to Sandcat for the issue. They are now available via update mechanism for clients.

21 thoughts on “Round Cube Webmail Probes Spreading Rapidly

  1. RoundCube Webmail is an interface to your email system through the web. It has all the functionality you would expect from a modern email client, including MIME support, address book, folder manipulation, message searching and spell checking. Unlike other webmail clients, its user interface is very much native application-like. This means that it has features like drag-and-drop which you are probably used to from applications on your desktop. RoundCube is also highly customizable. Your system administrator can write and install skins to let it fit your corporate identity.

  2. I’m thankful you guys are out there paying attention from were various malware probes are originating from. I have a team of over 11,000 active mlm marketing members worldwide and we do a lot of business online. So we appreciate your hard work. Thanks for all you do to help keep us safe.

  3. One of my sites have been compromised a couple of years ago and working with a programmer to get it fixed really helped me appreciate the complexities of online security. It simply cannot be done without people like you. * Danika

  4. mail/bin/msgimport i found this file but didnt know about the others. I think my computer is needing a reinstall. just posted a Q: @honeypoint on Twitter.

  5. I installed roundcube a few weeks back because my horde was getting too slow. So far I’ve had no problems except for some graphic applications not displaying properly. While this is already a past issue, I’m glad I found your webpage. Since I’m just new to roundcube, this would help me understand the email client better.

  6. roundcube was great compared to horde but i am having some few error i wonder if i will leave squirrelmail for roundcube

  7. John, what errors do you encounter with roundcube? i currently use roundcube with netcleanse without problem

  8. My business email files at my attorney firm got hacked. What a nightmare. We have the best anti-virus so I can’t understand how they got through it.

  9. Rather than dealing with things one subject after the other, you may wish to speak about one feature of comparison after another.

  10. There are some antiviruses that are themselves hackers. I once came across one like that. I downloaded it accidentally and then it could not go away until I brought their licensed version!!!

  11. Attractive component to content. I just stumbled upon your site and in accession capital to claim that I get in fact enjoyed account your weblog posts. Any way I’ll be subscribing in your feeds and even I fulfillment you get right of entry to persistently rapidly.

  12. “The probes are originating from infected Linux systems world wide and appear to be spreading rapidly. Infection of systems via a bot-net client or other form of malware is likely. ” I’ve read this in a variety of places, it seems that stopping the infection is best by preventing.

  13. I agree with this “Our HoneyPoint Security Server deployment has identified a set of 0-day scans and probes against the Round Cube Webmail system.”
    We have had no problems with this system since we put it on our office. Excellent.

  14. At Transmission Warehouse in Las Vegas, NV, our customers come first. We provide prompt, honest transmissions services at reasonable prices. Our staff is well-trained to get you and your loved ones safely back on the road. We are the best Transmission Shop in Las Vegas! Don’t hesitate to call us today for any transmission service estimate. Visit http://www.vegas-transmissionrepair.com today.

Leave a Reply