Update: It’s worse than I thought. I assumed that there was a vulnerability in html2text.php that allowed them to send email, but no, they used a vulnerability in html2text.php to download malicious code, and install something called “mock” in /tmp/.m and a script called “c” in /tmp/send. There were several copies of “c” running just now, when I ssh’ed in from my Treo to delete the files, kill the processes, and restart Apache. This is the first time I’d had malicious code installed on my system in over 15 years of running Linux. I feel so dirty.
As I was getting ready for bed, I chanced to look at my mail queue on munin, only to discover that some time yesterday, my outgoing mail queue was up to over 2500 messages, which is 10 times higher than I’ve ever seen it before. Oh oh, must be a spam run, I thought. It was worse than I thought – it wasn’t blowback from spam being sent out in my name, it was OUTGOING.
It took the last half an hour to find the culprit – RoundCube web mail that I installed soon after I started work at Paychex because I couldn’t ssh home to read my mail with mutt. I don’t know if I missed a patch or what, but there were a whole bunch of hits on “POST /webmail//bin/html2text.php”. I’ve removed it. I guess I’m in the market for a good secure web mail system again.
Hopefully I didn’t get marked as a spammer on too many sites.
Have you considered simply sticking this sort of thing behind SSL+basic-auth? Not unbreakable obviously but it’d be enough to fend off most attackers and not much more annoying to use than webmail is to start.
There was an advisory for Roundcube around christmas …
cheers
Or you could just upgrade Roundcube to the latest version, in which this is fixed.
http://www.heise-online.co.uk/security/RoundCube-vulnerability-allows-injection-of-arbitrary-scripting-code–/news/112330