Roundcube Webmail Scanning
I’ve been watching this for a couple of weeks now, I saw some initial requests to look at some data to discover what they may be after. I’ve seen some data about known attack vectors, but I haven’t seen what may be going on with the new “msgimport” function and any attacks against that. It’s possible that the “msgimport” URI is just a distinct marker for Roundcube, it may also have a vulnerability I didn’t see in my cursory static analysis of the code.
In a message entitled Security update for 0.2-beta dated December 16, the authors fixed a couple of bugs. One allowed for a DoS by chewing up disk space, while the other allowed for code injection via the HTML conversion script “html2text”. Neither mentions the scanned-for script, “msgimport”. Looking over the Roundcube SVN pages I don’t see anything there, either.
So, I have a couple of weeks of logs to dig into … a bunch of scans. Where are they coming from? Not surprusingly, mostly the US according to this WWW server.
In this map, red shows the most serious source of scanners, blue is the least, and purple is in the middle. This may be more clear using a different representation of the data, a pie graph.
ATLAS sees it a bit different, though:
Country, Country Name, Attacks per subnet, Percent Total CH, "Switzerland", 0.24, 78.1% GB, "Great Britain", 0.06, 20.6% US, "United States", 0.00, 1.2% FR, "France", 0.00, 0.1% Other, N/A, 0.00, 0.0%
In ATLAS this is not a major source of attacks, however.
Scans by day starting January 1 of this year show no obvious signs. It doesn’t seem to be slowing or growing, it just seems to be a new background attack.
Finally, and perhaps most revealing, we can see what they’re scanning for. The “msgimport” script is the most popular, but the JS file “list.js” is also being scanned for. I quickly looked that over but didn’t see anything worrisome there; I may have missed something.
In short, something may be going on but I don’t know what it is.