1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

How do I disable or update Horde? Server was hacked using it.

Discussion in 'Plesk for Linux - 8.x and Older' started by CBiLL, May 2, 2006.

  1. CBiLL

    CBiLL Guest

    0
     
    When I updated to Plesk 8 my server got hacked and they used Horde to exploit it and hacked into my server.

    I am running FC 1 and how do I update Horde or at least disable it until it updated?



    Thanks

    Bill
     
  2. littlefrog

    littlefrog Regular Pleskian

    25
     
    Joined:
    Jul 30, 2008
    Messages:
    176
    Likes Received:
    0
    yea my server got hit as well

    I am running horde 3.0.5 on PSA 7.5.4

    NOT HAPPY.

    Will update this thread with resuts from updating horde.
     
  3. crossconnect

    crossconnect Guest

    0
     
    On my system Horde is installed in /usr/share/psa-horde, could be different on yours. Just change the permissions on that directory to remove world readable/executable (chmod /usr/share/psa-horde o-rx). That should be a good temporary fix, no risk of changes to Apache config files being overwritten.

    What exactly was the attacker able to do?
     
  4. littlefrog

    littlefrog Regular Pleskian

    25
     
    Joined:
    Jul 30, 2008
    Messages:
    176
    Likes Received:
    0
    The hacker was able to copy phishing material to several domains on the server. As soon as i disabled horde the files magically appearing stopped.

    cleaned up the server and changed the pass.

    My Horde is the same dir.

    what i did was backed up the folder and wiped the directory.
    Recreated it and installed a clean copy of squirlmail into it and it seems t be working really nice.

    I did it in a way that i can evaluate several webmail software and then choose the one i like best. So far squirlmail was easiest.
    Only took about 2 min to install. (I had to write a quick fix into the config to allow the software to be dynamic instead of domain specific)

    The look and feel of squirlmail sucks though... so i am still trying to find the right solution.
     
  5. ramorius

    ramorius Guest

    0
     
    OK, I followed the guidance above so that my server would not get hacked and now WebMail doesn't work. I receive the following errors:

    Forbidden
    You don't have permission to access /horde/imp/login.php on this server.

    Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.


    So, what were the permissions? What should they really be?

    Thank you,
    Rob Morin
     
  6. littlefrog

    littlefrog Regular Pleskian

    25
     
    Joined:
    Jul 30, 2008
    Messages:
    176
    Likes Received:
    0
    Ok here are the steps i did.

    1) Backup up /usr/share/psa-horde to /usr/share/psa-horde-BK

    2) Make clean dir for /usr/share/psa-horde

    3) Make index.php in that folder
    for now make it say "Coming Soon"

    4) Download latest version of squirrelmail located at http://prdownloads.sourceforge.net/squirrelmail/squirrelmail-1.4.6.tar.gz

    5) Once you have downloaded the file put it in /usr/share/psa-horde

    Untar it

    then rename the outputted folder to sq

    then chown -R root:root sq

    then cd sq/

    then chown -R apache:apache data

    then cd config

    then run perl config.pl and set the configuration.

    6) Now customize some of the settings so users don't end up with each others preferences.

    a) edit config/config.php
    change the line below
    $domain = "example.com";
    TO
    $domain = EREGI_REPLACE("www.","",EREGI_REPLACE("webmail.","", $_SERVER['SERVER_NAME']));

    b) change functions/file_prefs.php
    there are 3 functions that need to be updated.

    look through the file for
    "$username.pref"
    and change it to
    $username . "_" . $domain . ".pref"

    Also in each function you find that in make sure you also add this line at the top of the function like this

    function cachePrefValues($data_dir, $username) {
    global $domain;

    Once your done that go visit webmail.yourdomain.com/sq/

    log in with your username and pass and test that it works.

    if it does work as you want it to then go edit

    /usr/share/psa-horde/index.php and add this as the first line.

    <? header("location: sq/") ?>

    Let me know how it goes... i would like to hear your feedback on this process.

    Then once SW-SOFT issues a fix for HORDE 3.0.5 then we can switch back... (WHICH IS WHY ITS GOOD TO BACK UP THE DIR)
     
  7. littlefrog

    littlefrog Regular Pleskian

    25
     
    Joined:
    Jul 30, 2008
    Messages:
    176
    Likes Received:
    0
    PS if anyone doubts the seriousness of this exploit visit these URLS

    http://castlecops.com/modules.php?&name=Forums&file=viewtopic&p=749219

    http://www.rohitab.com/discuss/index.php?showtopic=15182

    http://isc.sans.org/diary.php?storyid=1268&rss

    and anyone running the default PSA 7.5.4 or older is definitly in trouble.

    I can not say for sure if version 8 has this issue or not.

    This exploit has only been out for a week or 2 and it is only a matter of time before hundreds of servers are getting attacked with this new exploit
     
  8. ramorius

    ramorius Guest

    0
     
    2tonecafe - thank you for the reply and references.

    I read through the urls - it appears that the attacker must have an email account on the system to get to the help module where the vulnerability exists. So, since my server doesn't provide email for any one other than me, I *should* be safe. For now.

    I hope that SWSoft is monitoring this thread and incorporates the available Horde security patch into the Updater soon. It has been out for over a month now... And, as I'm sure you saw, the exploit has been posted in forums for everyone to see.

    Thank you again,
    Rob
     
  9. littlefrog

    littlefrog Regular Pleskian

    25
     
    Joined:
    Jul 30, 2008
    Messages:
    176
    Likes Received:
    0
    I just updated to the latest version update for psa 7.5.4 which updated webmail even though it says nothing about it.

    Horde now running 3.1.1 which is a safe version.

    And if you run the update even after installing squirrelmail it will fix it and sq will still be there as well so you can choose which one to use.
     
  10. CruzMark

    CruzMark Basic Pleskian

    24
    23%
    Joined:
    Mar 6, 2006
    Messages:
    84
    Likes Received:
    0
    FYI

    I just looked at Horde on my FreeBSD 6 box that is running the latest Plesk 8 release and is at 3.1.1
     
  11. littlefrog

    littlefrog Regular Pleskian

    25
     
    Joined:
    Jul 30, 2008
    Messages:
    176
    Likes Received:
    0
    oddly enough from FireFox it will tell you its running 4.1

    but from IE says 3.1.1

    So as long as your running one of those should be safe from the exploit.

    I am back to using Horde so we will see if the hacker comes back.

    if he does I will post here and disable horde and move to SquirrelMail for good.
     
  12. crossconnect

    crossconnect Guest

    0
     
    ramorius - sorry, that was the point. I was referring to CBiLL's question about disabling it :)
     
  13. dietcheese

    dietcheese Guest

    0
     
Loading...