2009-01-13, 03:49 PM
Hey All,
I thought I would share something with you all. Recently one of the servers I am hosted on got infected with a rather nasty worm. This worm managed to eat up almost of the server's available memory, causing the memory limit to be reached and access to my sites disrupted. My friend who is also the server owner got it cleaned up in no time, but I thought I would post here because others in the MyBB Community may be at risk or already infected, especially as this is a self-spreading worm. The worm's main goal seems to be to cause a Denial of Service (DoS) attack on another server.
The worm affects the DirectAdmin control panel for users who have Roundcube webmail enabled on the server. More details:
If you've got a dedi or VPS server running DirectAdmin it would be best to disable Roundcube. This may also affect users running roundcube on other control panels such as CPanel, but I haven't heard any reports of this as of yet.
Symptoms of the worm would be those mentioned above as well as excessive memory usage or memory errors being thrown for applications such as MyBB.
Hope it helps,
BMR777
I thought I would share something with you all. Recently one of the servers I am hosted on got infected with a rather nasty worm. This worm managed to eat up almost of the server's available memory, causing the memory limit to be reached and access to my sites disrupted. My friend who is also the server owner got it cleaned up in no time, but I thought I would post here because others in the MyBB Community may be at risk or already infected, especially as this is a self-spreading worm. The worm's main goal seems to be to cause a Denial of Service (DoS) attack on another server.
The worm affects the DirectAdmin control panel for users who have Roundcube webmail enabled on the server. More details:
Quote:Roundcube Webmail Exploit
Hello everyone,
We have recently received a very large number of port scanning complaints on our Dallas network and upon investigation this is due to an exploit in the Roundcube Webmail application.
This exploit has been document at the following locations:
http://blog.rayboy.org/wcube-roundcube-v...08jan2009/
http://www.webhostingtalk.com/showthread.php?t=748555
http://directadmin.com/forum/showthread.php?p=147661
If you are running DirectAdmin, this seems to be isolated to you. At this time we have not found any complaints of this running under cPanel or LxAdmin.
We ask that all DirectAdmin users please login to your VPS/dedicated servers as soon as possible. Upon logging in, you will need to check for any files within your tmp directory by the name of wcube or the alike. If your VPS contains any of these files, you are affected by this.
The vulnerability basically allowed an unauthorized individual to download and execute a script within your server. This script basically creates a Denial of Service attack on another server.
This situation must be handled as soon as possible. To rectify this problem, if you are infected, you will need to kill the wcube processes and remove the files found. To do this, when logged into SSH you will execute the following:
killall -9 wcube
rm -rf /tmp/wcube*
It is then advised that you fully remove/disable roundcube from your servers until a patch is released. To do this, please use the following instructions:
http://www.directadmin.com/forum/showpos...ostcount=7
This is a very serious matter and if not taken care of could result in mandatory suspension of your server to prevent any further damage from being done.
This is not exclusive to our network as outlined in the links provided. If you have servers elsewhere, please take this information and proceed with the same steps to ensure your container is secured.
If you require assistance to perform the necessary actions, please contact our support desk.
Again, this is a very serious matter and could result in mandatory suspension for the integrity of our network if not handled properly.
Have a wonderful evening and please contact us for assistance if needed.
Best regards,
Daniel Stephens
-------------------
Roundcube Exploit
This is just a quick followup of the Roundcube exploit...
If you notice a vast number of wssh processes running within your server, YOU ARE AFFECTED. This process is the DoS deamon used by the exploit. When the wcube is completed with it's tasks, it creates this process and proceeds to DoS other servers and spread the exploit.
We ask that ALL Roundcube users remove it ASAP. Please open a ticket for assistance. This is a massive exploit and we have already identified roughly 40 containers by a quick sweep for the wcube files.
If you have not been affected yet, you most likely will. This exploit is spreading rapidly and must be remedied. At this time we have only identified it with DirectAdmin, but it may be smart to disable Roundcube if you utilize other panels as well.
Best regards,
Daniel Stephens
If you've got a dedi or VPS server running DirectAdmin it would be best to disable Roundcube. This may also affect users running roundcube on other control panels such as CPanel, but I haven't heard any reports of this as of yet.
Symptoms of the worm would be those mentioned above as well as excessive memory usage or memory errors being thrown for applications such as MyBB.
Hope it helps,
BMR777
.
.