Last night, HITME began to pick up various sources scanning for a new file in the RoundCube Webmail product. The file “list.js” is being scanned for by the Toata bot and low levels of port 80 scans matching these probes are ongoing. SANS and the project owners have been informed.
No exploitation has been observed by us thus far in relationship to these scans, but cataloging is ongoing. Intent of the attacker is currently unknown, as is the vulnerability, if any, present in the file.
Following are the signatures captured from one host:
XXX received an alert from 88.191.50.206 at 2009-01-15 19:55:41 on port 80
Alert Data: GET /rc/program/js/list.js HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Toata dragostea mea pentru diavola
Host: xx.xx.xx.xx
Connection: Close
XXX received an alert from 88.191.50.206 at 2009-01-15 19:55:39 on port 80
Alert Data: GET /roundcubemail/program/js/list.js HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Toata dragostea mea pentru diavola
Host: xx.xx.xx.xx
Connection: Close
XXX received an alert from 88.191.50.206 at 2009-01-15 19:55:38 on port 80
Alert Data: GET /roundcube/program/js/list.js HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Toata dragostea mea pentru diavola
Host: xx.xx.xx.xx
Connection: Close
XXX received an alert from 88.191.50.206 at 2009-01-15 19:55:36 on port 80
Alert Data: GET /webmail/program/js/list.js HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Toata dragostea mea pentru diavola
Host: xx.xx.xx.xx
Connection: Close
XXX received an alert from 88.191.50.206 at 2009-01-15 19:55:35 on port 80
Alert Data: GET /email/program/js/list.js HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Toata dragostea mea pentru diavola
Host: xx.xx.xx.xx
Connection: Close
Once again, users of RoundCube Webmail are urged to ensure they are doing additional levels of monitoring, staying current on all patches/updates and taking other precautions. Consider removing RoundCube from Internet exposure until these and other ongoing issues are mitigated.
I have been getting HTTP requests like this too. Here’s my IIS log. (My server is not referanced anywhere on the internet, so the IP should not be known).
#Software: Microsoft Internet Information Services 7.5
#Version: 1.0
#Date: 2009-03-02 21:31:37
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
2009-03-02 21:31:37 192.168.1.94 GET /program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 64 6335
2009-03-02 21:31:37 192.168.1.94 GET /rc/program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 277
2009-03-02 21:31:37 192.168.1.94 GET /roundcube/program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 211
2009-03-02 21:31:37 192.168.1.94 GET /roundcube-0.1/program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 211
2009-03-02 21:31:39 192.168.1.94 GET /roundcube-0.1.1/program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 214
2009-03-02 21:31:39 192.168.1.94 GET /roundcubemail/program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 207
2009-03-02 21:31:39 192.168.1.94 GET /roundcubemail-0.1/program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 231
2009-03-02 21:31:40 192.168.1.94 GET /roundcubemail-0.1.1/program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 208
2009-03-02 21:31:40 192.168.1.94 GET /cube/program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 207
2009-03-02 21:31:40 192.168.1.94 GET /mail/program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 211
2009-03-02 21:31:41 192.168.1.94 GET /mail2/program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 219
2009-03-02 21:31:41 192.168.1.94 GET /webmail/program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 208
2009-03-02 21:31:41 192.168.1.94 GET /email/program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 209
2009-03-02 21:34:09 192.168.1.94 GET /program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 208
2009-03-02 21:34:10 192.168.1.94 GET /rc/program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 209
2009-03-02 21:34:10 192.168.1.94 GET /roundcube/program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 206
2009-03-02 21:34:10 192.168.1.94 GET /roundcube-0.1/program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 207
2009-03-02 21:34:11 192.168.1.94 GET /roundcube-0.1.1/program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 207
2009-03-02 21:34:11 192.168.1.94 GET /roundcubemail/program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 216
2009-03-02 21:34:11 192.168.1.94 GET /roundcubemail-0.1/program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 212
2009-03-02 21:34:12 192.168.1.94 GET /roundcubemail-0.1.1/program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 208
2009-03-02 21:34:12 192.168.1.94 GET /cube/program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 237
2009-03-02 21:34:12 192.168.1.94 GET /mail/program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 220
2009-03-02 21:34:13 192.168.1.94 GET /mail2/program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 208
2009-03-02 21:34:13 192.168.1.94 GET /webmail/program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 212
2009-03-02 21:34:13 192.168.1.94 GET /email/program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 207