Security issue (possible?) (was: RE: Unknown user in users table, very odd, possible security hole)

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Security issue (possible?) (was: RE: Unknown user in users table, very odd, possible security hole)

Jorge Bastos

ALEC!!!!!!!

 

There’s some security problem in RC I believe!

 

Check this:

 

Feb  9 01:46:44 fastweb roundcube: <ibj96bvb> Successful login for [hidden email] (ID: 100412) from 110.136.11.0 in session ibj96bvbj5akqlt5slpc47ikfb

 

This user doesn’t belong to any of the IMAP accounts, how was he able to login?

 

After the login, there’s some login failed lines:

 

Feb  9 02:47:27 fastweb roundcube: <ibj96bvb> IMAP Error: Login failed for [hidden email] from 110.136.11.0. Empty startup greeting (mail.adhigunaputera.com:143) in /home/hosting/dhosting.pt/webmail/program/lib/Roundcube/rcube_imap.php on line 196 (POST /webmail/?_task=mail&_action=refresh)

Feb  9 02:48:37 fastweb roundcube: <ibj96bvb> IMAP Error: Login failed for [hidden email] from 110.136.11.0. Empty startup greeting (mail.adhigunaputera.com:143) in /home/hosting/dhosting.pt/webmail/program/lib/Roundcube/rcube_imap.php on line 196 (POST /webmail/?_task=mail&_action=refresh)

Feb  9 02:49:47 fastweb roundcube: <ibj96bvb> IMAP Error: Login failed for [hidden email] from 110.136.11.0. Empty startup greeting (mail.adhigunaputera.com:143) in /home/hosting/dhosting.pt/webmail/program/lib/Roundcube/rcube_imap.php on line 196 (POST /webmail/?_task=mail&_action=refresh

 

(funny the IP is the network IP)

 

What’s the best place to move forward with investigation with this issue, here or dev list?

Could you assist me on this?

Thank you in advanced,

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Hannu Hirvonen
Sent: 8 de fevereiro de 2018 20:43
To: [hidden email]
Subject: Re: [RCU] Unknown user in users table, very odd, possible security hole

 

On 08.02.2018 22:34, Jorge Bastos wrote:

Not in there but you made me remind about:

// Log successful/failed logins to <log_dir>/userlogins or to syslog

That's why I said "something like ...", might have been a bit clearer, of course :-)

-- 
  Hannu Hirvonen ([hidden email], http://www.uwasa.fi/~hh/)
  Computer Centre, University of Vaasa, BOX 700, FI-65101 VAASA, Finland

_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Security issue (possible?) (was: RE: Unknown user in users table, very odd, possible security hole)

Jorge Bastos

Ok, another login just right now:

 

Feb  9 09:25:41 fastweb roundcube: <sm6djv7v> Successful login for [hidden email] (ID: 100412) from 110.136.11.0 in session sm6djv7vh6oplo694nff7ng2rp

 

Alec, can you help debugging this?

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Jorge Bastos
Sent: 9 de fevereiro de 2018 09:18
To: 'Roundcube Users mailing list' <[hidden email]>
Subject: [RCU] Security issue (possible?) (was: RE: Unknown user in users table, very odd, possible security hole)

 

ALEC!!!!!!!

 

There’s some security problem in RC I believe!

 

Check this:

 

Feb  9 01:46:44 fastweb roundcube: <ibj96bvb> Successful login for [hidden email] (ID: 100412) from 110.136.11.0 in session ibj96bvbj5akqlt5slpc47ikfb

 

This user doesn’t belong to any of the IMAP accounts, how was he able to login?

 

After the login, there’s some login failed lines:

 

Feb  9 02:47:27 fastweb roundcube: <ibj96bvb> IMAP Error: Login failed for [hidden email] from 110.136.11.0. Empty startup greeting (mail.adhigunaputera.com:143) in /home/hosting/dhosting.pt/webmail/program/lib/Roundcube/rcube_imap.php on line 196 (POST /webmail/?_task=mail&_action=refresh)

Feb  9 02:48:37 fastweb roundcube: <ibj96bvb> IMAP Error: Login failed for [hidden email] from 110.136.11.0. Empty startup greeting (mail.adhigunaputera.com:143) in /home/hosting/dhosting.pt/webmail/program/lib/Roundcube/rcube_imap.php on line 196 (POST /webmail/?_task=mail&_action=refresh)

Feb  9 02:49:47 fastweb roundcube: <ibj96bvb> IMAP Error: Login failed for [hidden email] from 110.136.11.0. Empty startup greeting (mail.adhigunaputera.com:143) in /home/hosting/dhosting.pt/webmail/program/lib/Roundcube/rcube_imap.php on line 196 (POST /webmail/?_task=mail&_action=refresh

 

(funny the IP is the network IP)

 

What’s the best place to move forward with investigation with this issue, here or dev list?

Could you assist me on this?

Thank you in advanced,

 

From: [hidden email] [[hidden email]] On Behalf Of Hannu Hirvonen
Sent: 8 de fevereiro de 2018 20:43
To: [hidden email]
Subject: Re: [RCU] Unknown user in users table, very odd, possible security hole

 

On 08.02.2018 22:34, Jorge Bastos wrote:

Not in there but you made me remind about:

// Log successful/failed logins to <log_dir>/userlogins or to syslog

That's why I said "something like ...", might have been a bit clearer, of course :-)

-- 
  Hannu Hirvonen ([hidden email], http://www.uwasa.fi/~hh/)
  Computer Centre, University of Vaasa, BOX 700, FI-65101 VAASA, Finland

_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Security issue (possible?) (was: RE: Unknown user in users table, very odd, possible security hole)

Computerisms Corporation
did you check if there is a matching logon on your imap server?  maybe
enable password logging if you can and log in as his user and see what
he sees?  did you confirm that your roundcube is configured to use the
correct imap server?

On 2018-02-09 01:33 AM, Jorge Bastos wrote:

> Ok, another login just right now:
>
> Feb  9 09:25:41 fastweb roundcube: <sm6djv7v> Successful login for
> [hidden email] (ID: 100412) from 110.136.11.0 in session
> sm6djv7vh6oplo694nff7ng2rp
>
> Alec, can you help debugging this?
>
> *From:*[hidden email]
> [mailto:[hidden email]] *On Behalf Of *Jorge Bastos
> *Sent:* 9 de fevereiro de 2018 09:18
> *To:* 'Roundcube Users mailing list' <[hidden email]>
> *Subject:* [RCU] Security issue (possible?) (was: RE: Unknown user in
> users table, very odd, possible security hole)
>
> ALEC!!!!!!!
>
> There’s some security problem in RC I believe!
>
> Check this:
>
> Feb  9 01:46:44 fastweb roundcube: <ibj96bvb> Successful login for
> [hidden email] <mailto:[hidden email]> (ID: 100412)
> from 110.136.11.0 in session ibj96bvbj5akqlt5slpc47ikfb
>
> This user doesn’t belong to any of the IMAP accounts, how was he able to
> login?
>
> After the login, there’s some login failed lines:
>
> Feb  9 02:47:27 fastweb roundcube: <ibj96bvb> IMAP Error: Login failed
> for [hidden email] <mailto:[hidden email]> from
> 110.136.11.0. Empty startup greeting (mail.adhigunaputera.com:143) in
> /home/hosting/dhosting.pt/webmail/program/lib/Roundcube/rcube_imap.php
> on line 196 (POST /webmail/?_task=mail&_action=refresh)
>
> Feb  9 02:48:37 fastweb roundcube: <ibj96bvb> IMAP Error: Login failed
> for [hidden email] <mailto:[hidden email]> from
> 110.136.11.0. Empty startup greeting (mail.adhigunaputera.com:143) in
> /home/hosting/dhosting.pt/webmail/program/lib/Roundcube/rcube_imap.php
> on line 196 (POST /webmail/?_task=mail&_action=refresh)
>
> Feb  9 02:49:47 fastweb roundcube: <ibj96bvb> IMAP Error: Login failed
> for [hidden email] <mailto:[hidden email]> from
> 110.136.11.0. Empty startup greeting (mail.adhigunaputera.com:143) in
> /home/hosting/dhosting.pt/webmail/program/lib/Roundcube/rcube_imap.php
> on line 196 (POST /webmail/?_task=mail&_action=refresh
>
> (funny the IP is the network IP)
>
> What’s the best place to move forward with investigation with this
> issue, here or dev list?
>
> Could you assist me on this?
>
> Thank you in advanced,
>
> *From:*[hidden email]
> <mailto:[hidden email]>
> [mailto:[hidden email]] *On Behalf Of *Hannu Hirvonen
> *Sent:* 8 de fevereiro de 2018 20:43
> *To:* [hidden email] <mailto:[hidden email]>
> *Subject:* Re: [RCU] Unknown user in users table, very odd, possible
> security hole
>
> On 08.02.2018 22:34, Jorge Bastos wrote:
>
>     Not in there but you made me remind about:
>
>     // Log successful/failed logins to <log_dir>/userlogins or to syslog
>
> That's why I said "something like ...", might have been a bit clearer,
> of course :-)
>
> --
>
>    Hannu Hirvonen ([hidden email] <mailto:[hidden email]>,http://www.uwasa.fi/~hh/)
>
>    Computer Centre, University of Vaasa, BOX 700, FI-65101 VAASA, Finland
>
>
>
> _______________________________________________
> Roundcube Users mailing list
> [hidden email]
> http://lists.roundcube.net/mailman/listinfo/users
>
_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Security issue (possible?) (was: RE: Unknown user in users table, very odd, possible security hole)

Jorge Bastos
> did you check if there is a matching logon on your imap server?
Yes, the domains that I'm referring to are not hosted here, somewhere else,

  maybe
> enable password logging if you can and log in as his user and see what
> he sees?
Hum which setting is this? Can't find nothing for logs related to password's

 did you confirm that your roundcube is configured to use the
> correct imap server?
Well yes, but now i'm thinking, i have the imap server set to be dynamic
it's filled with:

mail. + domain.tld

ok this option in Roundcube is grrreeeaaattt, but I think it makes people
use my server for webmail! Damn!

How would I tell Roundcube, to connect just to my ip's?
I could do this via iptables but is some shared hosting user wants to
connect to any imap server he would be blocked

> -----Original Message-----
> From: Computerisms Corporation [mailto:[hidden email]]
> Sent: sexta-feira, 9 de Fevereiro de 2018 17:13
> To: Roundcube Users mailing list; Jorge Bastos
> Subject: Re: [RCU] Security issue (possible?) (was: RE: Unknown user in
> users table, very odd, possible security hole)
>
> did you check if there is a matching logon on your imap server?  maybe
> enable password logging if you can and log in as his user and see what
> he sees?  did you confirm that your roundcube is configured to use the
> correct imap server?
>
> On 2018-02-09 01:33 AM, Jorge Bastos wrote:
> > Ok, another login just right now:
> >
> > Feb  9 09:25:41 fastweb roundcube: <sm6djv7v> Successful login for
> > [hidden email] (ID: 100412) from 110.136.11.0 in session
> > sm6djv7vh6oplo694nff7ng2rp
> >
> > Alec, can you help debugging this?
> >
> > *From:*[hidden email]
> > [mailto:[hidden email]] *On Behalf Of *Jorge
> Bastos
> > *Sent:* 9 de fevereiro de 2018 09:18
> > *To:* 'Roundcube Users mailing list' <[hidden email]>
> > *Subject:* [RCU] Security issue (possible?) (was: RE: Unknown user in
> > users table, very odd, possible security hole)
> >
> > ALEC!!!!!!!
> >
> > There’s some security problem in RC I believe!
> >
> > Check this:
> >
> > Feb  9 01:46:44 fastweb roundcube: <ibj96bvb> Successful login for
> > [hidden email] <mailto:[hidden email]> (ID:
> > 100412) from 110.136.11.0 in session ibj96bvbj5akqlt5slpc47ikfb
> >
> > This user doesn’t belong to any of the IMAP accounts, how was he able
> > to login?
> >
> > After the login, there’s some login failed lines:
> >
> > Feb  9 02:47:27 fastweb roundcube: <ibj96bvb> IMAP Error: Login
> failed
> > for [hidden email] <mailto:[hidden email]> from
> > 110.136.11.0. Empty startup greeting (mail.adhigunaputera.com:143) in
> >
> /home/hosting/dhosting.pt/webmail/program/lib/Roundcube/rcube_imap.php
> > on line 196 (POST /webmail/?_task=mail&_action=refresh)
> >
> > Feb  9 02:48:37 fastweb roundcube: <ibj96bvb> IMAP Error: Login
> failed
> > for [hidden email] <mailto:[hidden email]> from
> > 110.136.11.0. Empty startup greeting (mail.adhigunaputera.com:143) in
> >
> /home/hosting/dhosting.pt/webmail/program/lib/Roundcube/rcube_imap.php
> > on line 196 (POST /webmail/?_task=mail&_action=refresh)
> >
> > Feb  9 02:49:47 fastweb roundcube: <ibj96bvb> IMAP Error: Login
> failed
> > for [hidden email] <mailto:[hidden email]> from
> > 110.136.11.0. Empty startup greeting (mail.adhigunaputera.com:143) in
> >
> /home/hosting/dhosting.pt/webmail/program/lib/Roundcube/rcube_imap.php
> > on line 196 (POST /webmail/?_task=mail&_action=refresh
> >
> > (funny the IP is the network IP)
> >
> > What’s the best place to move forward with investigation with this
> > issue, here or dev list?
> >
> > Could you assist me on this?
> >
> > Thank you in advanced,
> >
> > *From:*[hidden email]
> > <mailto:[hidden email]>
> > [mailto:[hidden email]] *On Behalf Of *Hannu
> > Hirvonen
> > *Sent:* 8 de fevereiro de 2018 20:43
> > *To:* [hidden email] <mailto:[hidden email]>
> > *Subject:* Re: [RCU] Unknown user in users table, very odd, possible
> > security hole
> >
> > On 08.02.2018 22:34, Jorge Bastos wrote:
> >
> >     Not in there but you made me remind about:
> >
> >     // Log successful/failed logins to <log_dir>/userlogins or to
> > syslog
> >
> > That's why I said "something like ...", might have been a bit
> clearer,
> > of course :-)
> >
> > --
> >
> >    Hannu Hirvonen ([hidden email]
> > <mailto:[hidden email]>,http://www.uwasa.fi/~hh/)
> >
> >    Computer Centre, University of Vaasa, BOX 700, FI-65101 VAASA,
> > Finland
> >
> >
> >
> > _______________________________________________
> > Roundcube Users mailing list
> > [hidden email]
> > http://lists.roundcube.net/mailman/listinfo/users
> >
_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Security issue (possible?) (was: RE: Unknown user in users table, very odd, possible security hole)

A.L.E.C
On 02/09/2018 09:28 PM, Jorge Bastos wrote:

> Well yes, but now i'm thinking, i have the imap server set to be dynamic
> it's filled with:
>
> mail. + domain.tld
>
> ok this option in Roundcube is grrreeeaaattt, but I think it makes people
> use my server for webmail! Damn!
>
> How would I tell Roundcube, to connect just to my ip's?
> I could do this via iptables but is some shared hosting user wants to
> connect to any imap server he would be blocked

You have a few options to deal with this

default_host
username_domain
username_domain_forced
login_username_filter
trusted_host_patterns

How to use them will depend on what you want to achieve and your environment. You can
always create a plugin that checks the host before connecting to it.

--
Aleksander 'A.L.E.C' Machniak
Kolab Groupware Developer         [http://kolab.org]
Roundcube Webmail Developer   [http://roundcube.net]
----------------------------------------------------
PGP: 19359DC1 # Blog: https://kolabian.wordpress.com
_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Security issue (possible?) (was: RE: Unknown user in users table, very odd, possible security hole)

Jorge Bastos
Alec,

> On 02/09/2018 09:28 PM, Jorge Bastos wrote:
> > Well yes, but now i'm thinking, i have the imap server set to be
> > dynamic it's filled with:
> >
> > mail. + domain.tld
>
> You have a few options to deal with this
>
> default_host
> username_domain
> username_domain_forced
> login_username_filter
> trusted_host_patterns
>

What I want to achieve is, the result of mail . + domain.tld, will result in
two ip's (ex: 1.1.1.1 and 2.2.2.2), I want Roundcube to not connect to any
other than one of this.

Would this be achievable?

_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users