Horde FTP server hacked, files modified to include backdoor
The developers of the Horde open source software have issued a statement warning its users that a one of their FTP servers was discovered to have been breached and some files on it modified.
“A few days ago we became aware of a manipulated file on our FTP server. Upon further investigation we discovered that the server has been hacked earlier, and three releases have been manipulated to allow unauthenticated remote PHP execution,” they explained. “We have immediately taken down all distribution servers to further analyze the extent of this incident, and we have worked closely with various Linux distributions to coordinate our response.”
The three files that were modified to include a backdoor are Horde 3.3.12, Horde Groupware 1.2.10 and Horde Groupware Webmail Edition 1.2.10., and users who have downloaded any of those since the start of November 2011 until February 7 (when the breach was discovered) are advised to download new, clean versions and reinstall their machines, or to upgrade to the more recent versions.
For those who would like to be sure whether they were affected, the developers advise searching their Horde directory tree for the following signature: $m[1]($m[2]).
Horde 4 users can breathe safely, as that file has not been manipulated. The developers also made sure to point out that they have replaced all the FTP and PEAR servers, and uploaded clean files.
“Our CVS and Git repositories are not affected either. Linux distributions that are affected will notify and provide security releases individually,” they stated.