14 DAY TRIAL // The developers of the popular open source Webmail solution Horde identified a number of manipulated files on one of their FTP servers. They concluded that the server has been breached, the files stored on it being altered to allow unauthenticated remote PHP execution.
“We have immediately taken down all distribution servers to further analyze the extent of this incident, and we have worked closely with various Linux distributions to coordinate our response,” Horde representatives wrote.
After the investigation was concluded, the servers were replaced and secured, the altered files being replaced with clean variants.
As a result of the analysis, it has been determined that a total of three files were manipulated and served to unsuspecting customers for a period of around three months.
It turns out that the each of the files was modified on a different occasion. Horde 3.3.12 was manipulated on November 15, Horde Groupware 1.2.10 on November 9, and Horde Groupware Webmail Edition 1.2.10 on November 2.
Since the incident was discovered on February 7, users who downloaded the aforementioned files during this timeframe are advised to immediately reinstall using fresh copies from Horde’s FTP server, or upgrade to more recent versions that have been released since.
Fortunately, Horde 4 releases were not affected and neither were the company’s CVSs and Git repositories. The affected Linux distributions will provide notifications and security updates of their own.
Users who are uncertain if they are exposed to cybercriminal operations can manually verify whether or not their products were altered by searching for the $m[1]($m[2]) signature in the Horde directory tree.
It’s clear that the hackers who targeted Horde servers had a plan laid out, which means that they’ll probably try to make the best of the situation, if they haven’t done so already. This is why it’s highly important that Horde customers reinstall or upgrade to protect themselves against malicious operations.