The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Horde exploit / spam through u=cpanel

Discussion in 'General Discussion' started by vasko, May 15, 2006.

  1. vasko

    vasko Member

    Joined:
    Apr 29, 2006
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Horde that comes with cPanel appears to be 3.0.5 and this version is vulnerable to some exploits. It stays 3.0.5. no matter of what update I have ran.

    The problem caused by this old version is obvious - SPAM. There were a lot of spam e-mails sent through the cpanel users. I believe that Horde runs through the cpanel user, hence the reason why there cpanel user relayed so much e-mails....

    Moreover - the available exploits are really - available, you don't need some serious knowledge to figure out how to use them.

    To fix this, we simply updated to the latest version of Horde manually. The /tmp folder
    was already mounted with nosuid and noexec, in case some of you haven't done that - do it , or you will see 160K e-mails relayed through the cpanel user :)

    I hope this helps someone.
     
  2. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0
    Can you send us some proof, log files, access logs etc? I would be very interested to see your logs.
     
  3. vasko

    vasko Member

    Joined:
    Apr 29, 2006
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    There is not much to see. Here's a 'sample' : )


    2006-05-14 15:59:09 1FfGBh-00028b-Cz <= kokscity@somename.info U=cpanel P=local S=1533 id=20060514155907.3vk6q91zbb7s4g4o@xxx..xxx..1.95

    A lot entries like this one. Others were with forged e-mails most of which were @yahoo.dk , @yahoo.it .

    Another way to solve this, rather a manual upgrade, is to replace the line below:

    eval('$version = "' . ucfirst($module) . ' " . ' . String::upper($module) . '_VERSION;');

    with

    $version = String::ucfirst($module) . ' ' . constant(String::upper($module) . '_VERSION');

    or just comment it. This should fix the problem without having to do an upgrade of Horde.

    This change is for the index.php file find in the /horde/services/help/

    The new version (3.1.10) does not have /help folder.
     
  4. vasko

    vasko Member

    Joined:
    Apr 29, 2006
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Another solution -

    /usr/local/cpanel/base/horde/confing/conf.php

    Edit this file and change this line from :

    $conf['menu']['links']['help'] = 'all';

    to

    $conf['menu']['links']['help'] = 'none';

    and then go to the /services/help/ folder of horde
    and
    chmod 000 index.php
     
  5. cPanelBilly

    cPanelBilly Guest

    Please remember in order to get to horde you have to be an authenticated user... so you could already send email.
     
  6. 4u123

    4u123 Well-Known Member
    PartnerNOC

    Joined:
    Jan 2, 2006
    Messages:
    765
    Likes Received:
    1
    Trophy Points:
    18
    I'm sorry to bump an old thread but I'm having a real problem with this. Someone is sending lots of spam out using horde but because the user id is cpanel, I dont know which user it is. Can anyone provide some tips on how to locate the account sending the email ?

    Edit...

    I got this spammer by looking at the cpu usage in cpanel and noticed "webmail serving ip address" as a high process - The Ip was in ghana so that was a good start - then I searched the exim log for that ip address - it came up with the details of the spam message being sent out from the fraudulently purchased account.

    Are there any more affective ways of doing this ?
     
    #6 4u123, Oct 24, 2006
    Last edited: Oct 24, 2006
  7. sv1

    sv1 Well-Known Member

    Joined:
    Aug 31, 2003
    Messages:
    135
    Likes Received:
    0
    Trophy Points:
    16
    What are the steps to manually update Horde?
     
Loading...

Share This Page