How do I disable or update Horde? Server was hacked using it.

[CBiLL]

When I updated to Plesk 8 my server got hacked and they used Horde to exploit it and hacked into my server.

I am running FC 1 and how do I update Horde or at least disable it until it updated?



Thanks

Bill

 

[littlefrog]

yea my server got hit as well

I am running horde 3.0.5 on PSA 7.5.4

NOT HAPPY.

Will update this thread with resuts from updating horde.

 

[crossconnect]

On my system Horde is installed in /usr/share/psa-horde, could be different on yours. Just change the permissions on that directory to remove world readable/executable (chmod /usr/share/psa-horde o-rx). That should be a good temporary fix, no risk of changes to Apache config files being overwritten.

What exactly was the attacker able to do?

 

[littlefrog]

The hacker was able to copy phishing material to several domains on the server. As soon as i disabled horde the files magically appearing stopped.

cleaned up the server and changed the pass.

My Horde is the same dir.

what i did was backed up the folder and wiped the directory.
Recreated it and installed a clean copy of squirlmail into it and it seems t be working really nice.

I did it in a way that i can evaluate several webmail software and then choose the one i like best. So far squirlmail was easiest.
Only took about 2 min to install. (I had to write a quick fix into the config to allow the software to be dynamic instead of domain specific)

The look and feel of squirlmail sucks though... so i am still trying to find the right solution.

 

[ramorius]

OK, I followed the guidance above so that my server would not get hacked and now WebMail doesn't work. I receive the following errors:

Forbidden
You don't have permission to access /horde/imp/login.php on this server.

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

So, what were the permissions? What should they really be?

Thank you,
Rob Morin

 

[littlefrog]

Ok here are the steps i did.

1) Backup up /usr/share/psa-horde to /usr/share/psa-horde-BK

2) Make clean dir for /usr/share/psa-horde

3) Make index.php in that folder
for now make it say "Coming Soon"

4) Download latest version of squirrelmail located at http://prdownloads.sourceforge.net/squirrelmail/squirrelmail-1.4.6.tar.gz

5) Once you have downloaded the file put it in /usr/share/psa-horde

Untar it

then rename the outputted folder to sq

then chown -R root:root sq

then cd sq/

then chown -R apache:apache data

then cd config

then run perl config.pl and set the configuration.

6) Now customize some of the settings so users don't end up with each others preferences.

a) edit config/config.php
change the line below
$domain = "example.com";
TO
$domain = EREGI_REPLACE("www.","",EREGI_REPLACE("webmail.","", $_SERVER['SERVER_NAME']));

b) change functions/file_prefs.php
there are 3 functions that need to be updated.

look through the file for
"$username.pref"
and change it to
$username . "_" . $domain . ".pref"

Also in each function you find that in make sure you also add this line at the top of the function like this

function cachePrefValues($data_dir, $username) {
global $domain;

Once your done that go visit webmail.yourdomain.com/sq/

log in with your username and pass and test that it works.

if it does work as you want it to then go edit

/usr/share/psa-horde/index.php and add this as the first line.

<? header("location: sq/") ?>

Let me know how it goes... i would like to hear your feedback on this process.

Then once SW-SOFT issues a fix for HORDE 3.0.5 then we can switch back... (WHICH IS WHY ITS GOOD TO BACK UP THE DIR)

 

[littlefrog]

PS if anyone doubts the seriousness of this exploit visit these URLS

http://castlecops.com/modules.php?&name=Forums&file=viewtopic&p=749219

http://www.rohitab.com/discuss/index.php?showtopic=15182

http://isc.sans.org/diary.php?storyid=1268&rss

and anyone running the default PSA 7.5.4 or older is definitly in trouble.

I can not say for sure if version 8 has this issue or not.

This exploit has only been out for a week or 2 and it is only a matter of time before hundreds of servers are getting attacked with this new exploit

 

[ramorius]

2tonecafe - thank you for the reply and references.

I read through the urls - it appears that the attacker must have an email account on the system to get to the help module where the vulnerability exists. So, since my server doesn't provide email for any one other than me, I *should* be safe. For now.

I hope that SWSoft is monitoring this thread and incorporates the available Horde security patch into the Updater soon. It has been out for over a month now... And, as I'm sure you saw, the exploit has been posted in forums for everyone to see.

Thank you again,
Rob

 

[littlefrog]

I just updated to the latest version update for psa 7.5.4 which updated webmail even though it says nothing about it.

Horde now running 3.1.1 which is a safe version.

And if you run the update even after installing squirrelmail it will fix it and sq will still be there as well so you can choose which one to use.

 

[CruzMark]

FYI

I just looked at Horde on my FreeBSD 6 box that is running the latest Plesk 8 release and is at 3.1.1

 

[littlefrog]

oddly enough from FireFox it will tell you its running 4.1

but from IE says 3.1.1

So as long as your running one of those should be safe from the exploit.

I am back to using Horde so we will see if the hacker comes back.

if he does I will post here and disable horde and move to SquirrelMail for good.

 

[crossconnect]

ramorius - sorry, that was the point. I was referring to CBiLL's question about disabling it

 

[dietcheese]

3.1.1 unsafe

http://www.securityfocus.com/archive/1/443361