More Toata Scans for a New RoundCube File

Last night, HITME began to pick up various sources scanning for a new file in the RoundCube Webmail product. The file “list.js” is being scanned for by the Toata bot and low levels of port 80 scans matching these probes are ongoing. SANS and the project owners have been informed.

No exploitation has been observed by us thus far in relationship to these scans, but cataloging is ongoing. Intent of the attacker is currently unknown, as is the vulnerability, if any, present in the file.

Following are the signatures captured from one host:

XXX received an alert from 88.191.50.206 at 2009-01-15 19:55:41 on port 80

Alert Data: GET /rc/program/js/list.js HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Toata dragostea mea pentru diavola

Host: xx.xx.xx.xx

Connection: Close

XXX received an alert from 88.191.50.206 at 2009-01-15 19:55:39 on port 80

Alert Data: GET /roundcubemail/program/js/list.js HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Toata dragostea mea pentru diavola

Host: xx.xx.xx.xx

Connection: Close

XXX received an alert from 88.191.50.206 at 2009-01-15 19:55:38 on port 80

Alert Data: GET /roundcube/program/js/list.js HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Toata dragostea mea pentru diavola

Host: xx.xx.xx.xx

Connection: Close

XXX received an alert from 88.191.50.206 at 2009-01-15 19:55:36 on port 80

Alert Data: GET /webmail/program/js/list.js HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Toata dragostea mea pentru diavola

Host: xx.xx.xx.xx

Connection: Close

XXX received an alert from 88.191.50.206 at 2009-01-15 19:55:35 on port 80

Alert Data: GET /email/program/js/list.js HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Toata dragostea mea pentru diavola

Host: xx.xx.xx.xx

Connection: Close

Once again, users of RoundCube Webmail are urged to ensure they are doing additional levels of monitoring, staying current on all patches/updates and taking other precautions. Consider removing RoundCube from Internet exposure until these and other ongoing issues are mitigated.

1 thought on “More Toata Scans for a New RoundCube File

  1. I have been getting HTTP requests like this too. Here’s my IIS log. (My server is not referanced anywhere on the internet, so the IP should not be known).

    #Software: Microsoft Internet Information Services 7.5
    #Version: 1.0
    #Date: 2009-03-02 21:31:37
    #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
    2009-03-02 21:31:37 192.168.1.94 GET /program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 64 6335
    2009-03-02 21:31:37 192.168.1.94 GET /rc/program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 277
    2009-03-02 21:31:37 192.168.1.94 GET /roundcube/program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 211
    2009-03-02 21:31:37 192.168.1.94 GET /roundcube-0.1/program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 211
    2009-03-02 21:31:39 192.168.1.94 GET /roundcube-0.1.1/program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 214
    2009-03-02 21:31:39 192.168.1.94 GET /roundcubemail/program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 207
    2009-03-02 21:31:39 192.168.1.94 GET /roundcubemail-0.1/program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 231
    2009-03-02 21:31:40 192.168.1.94 GET /roundcubemail-0.1.1/program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 208
    2009-03-02 21:31:40 192.168.1.94 GET /cube/program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 207
    2009-03-02 21:31:40 192.168.1.94 GET /mail/program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 211
    2009-03-02 21:31:41 192.168.1.94 GET /mail2/program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 219
    2009-03-02 21:31:41 192.168.1.94 GET /webmail/program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 208
    2009-03-02 21:31:41 192.168.1.94 GET /email/program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 209
    2009-03-02 21:34:09 192.168.1.94 GET /program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 208
    2009-03-02 21:34:10 192.168.1.94 GET /rc/program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 209
    2009-03-02 21:34:10 192.168.1.94 GET /roundcube/program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 206
    2009-03-02 21:34:10 192.168.1.94 GET /roundcube-0.1/program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 207
    2009-03-02 21:34:11 192.168.1.94 GET /roundcube-0.1.1/program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 207
    2009-03-02 21:34:11 192.168.1.94 GET /roundcubemail/program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 216
    2009-03-02 21:34:11 192.168.1.94 GET /roundcubemail-0.1/program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 212
    2009-03-02 21:34:12 192.168.1.94 GET /roundcubemail-0.1.1/program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 208
    2009-03-02 21:34:12 192.168.1.94 GET /cube/program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 237
    2009-03-02 21:34:12 192.168.1.94 GET /mail/program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 220
    2009-03-02 21:34:13 192.168.1.94 GET /mail2/program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 208
    2009-03-02 21:34:13 192.168.1.94 GET /webmail/program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 212
    2009-03-02 21:34:13 192.168.1.94 GET /email/program/js/list.js – 80 – 85.114.140.127 Toata+dragostea+mea+pentru+diavola 500 19 33 207

Leave a Reply