Reader Nathan who sent us information about the Roundcube html2text.php vulnerability last week (see our previous diary here) has written in again about a new scan he is seeing for the "msgimport" binary included with Roundcube.  Nathan writes:

In regard to the Roundcube vulnerability it appears that attackers are now actively scanning for the presence of Roundcube with a specific user agent. It may be possible to craft a mod_security or fail2ban rule to match against this user agent. Two separate users have reported the scanning as well on separate ARIN netblocks. I have seen these scans first-hand on my webserver. Scans appear to originate from 87.233.128.0/18 with specific allocation details of "Assigned to customer 504". I don't think customer 504 is very nice :)

The User-Agent is in Romanian and translates, "All my love for the devil girl". Do you have any additional information regarding this user-agent and/or the specific vulnerability relating to msgimport? This does not appear to be the same vulnerability regarding code execution in html2text.php. I don't have additional behavior from the clients in the logs due to fail2ban taking action (HTTP 403 on connections without a host-header w/immediate fail2ban). Googling shows that scanning for this vulernability appears to have started around Dec 20th.

default 87.233.139.98 - - [29/Dec/2008:15:52:57 -0600] "GET HTTP/1.1 HTTP/1.1" 400 226 "-" "Toata dragostea mea pentru diavola"
default 87.233.139.98 - - [29/Dec/2008:15:52:57 -0600] "GET /roundcube//bin/msgimport HTTP/1.1" 403 226 "-" "Toata dragostea mea pentru diavola"

87.233.180.109 - - [30/Dec/2008:14:03:28 -0600] "GET /roundcube//bin/msgimport HTTP/1.1" 404 291 "-" "Toata dragostea mea pentru diavola"

Nathan, thanks for the information about the scanning and have a happy New Year.

David Goldsmith