Horde exploit / spam through u=cpanel

[vasko]

Horde that comes with cPanel appears to be 3.0.5 and this version is vulnerable to some exploits. It stays 3.0.5. no matter of what update I have ran.

The problem caused by this old version is obvious - SPAM. There were a lot of spam e-mails sent through the cpanel users. I believe that Horde runs through the cpanel user, hence the reason why there cpanel user relayed so much e-mails....

Moreover - the available exploits are really - available, you don't need some serious knowledge to figure out how to use them.

To fix this, we simply updated to the latest version of Horde manually. The /tmp folder
was already mounted with nosuid and noexec, in case some of you haven't done that - do it , or you will see 160K e-mails relayed through the cpanel user

I hope this helps someone.

 

[jackie46]

Can you send us some proof, log files, access logs etc? I would be very interested to see your logs.

 

[vasko]

There is not much to see. Here's a 'sample' : )


2006-05-14 15:59:09 1FfGBh-00028b-Cz <= [email protected] U=cpanel P=local S=1533 id=20060514155907.3vk6q[email protected]

A lot entries like this one. Others were with forged e-mails most of which were @yahoo.dk , @yahoo.it .

Another way to solve this, rather a manual upgrade, is to replace the line below:

eval('$version = "' . ucfirst($module) . ' " . ' . String::upper($module) . '_VERSION;');

with

$version = String::ucfirst($module) . ' ' . constant(String::upper($module) . '_VERSION');

or just comment it. This should fix the problem without having to do an upgrade of Horde.

This change is for the index.php file find in the /horde/services/help/

The new version (3.1.10) does not have /help folder.

 

[vasko]

Another solution -

/usr/local/cpanel/base/horde/confing/conf.php

Edit this file and change this line from :

$conf['menu']['links']['help'] = 'all';

to

$conf['menu']['links']['help'] = 'none';

and then go to the /services/help/ folder of horde
and
chmod 000 index.php

 

[cPanelBilly]

Please remember in order to get to horde you have to be an authenticated user... so you could already send email.

 

[4u123]

I'm sorry to bump an old thread but I'm having a real problem with this. Someone is sending lots of spam out using horde but because the user id is cpanel, I dont know which user it is. Can anyone provide some tips on how to locate the account sending the email ?

Edit...

I got this spammer by looking at the cpu usage in cpanel and noticed "webmail serving ip address" as a high process - The Ip was in ghana so that was a good start - then I searched the exim log for that ip address - it came up with the details of the spam message being sent out from the fraudulently purchased account.

Are there any more affective ways of doing this ?

 

[sv1]

What are the steps to manually update Horde?