jonsjava Posted May 27, 2008 Share Posted May 27, 2008 I wrote this script to help track compromised webmail accounts in horde. It will show you all compromised accounts. It checks reply-to addresses to see if any accounts may be compromised. I'm posting it here, because I see the occasional horde issue in these forums. <?php session_start(); /* ************************************* */ /* START USER CHANGES */ /* ************************************* */ /* User who has access to your horde database */ $username = "user"; $password = "password"; $host = "localhost"; $db = "horde"; /* Your Domain (your_domain_shortname is your domain without the extension [.com, .net, .org, etc.])*/ $your_domain = "mysite.com"; $your_domain_shortname = "mysite"; /* Safe list, separate with a comma */ $safe_list = "'example@domain.com', 'demo@user.org'"; /* Uncomment the following if you want to allow only certian IP addresses */ /* $allowed = array(); $allowed[] .= "0.0.0.0"; $allowed[] .= "127.0.0.1"; $allowed[] .= "10.10.10.10"; if (!(in_array($_SERVER['REMOTE_ADDR'], $allowed))) { header("HTTP/1.0 404 Not Found"); include("/var/www/error/404.php"); exit(); } */ /* ************************************* */ /* END USER CHANGES */ /* ************************************* */ $link = mysql_connect($host, $username, $password) or die("connection error"); mysql_select_db($db, $link); if ($_GET['alarm'] == "off"){ session_destroy(); } if ($_GET['view'] == "lastlogon"){ } elseif ($_GET['view'] == "signature"){ $userName = mysql_real_escape_string($_GET['user']); $sql = "select * from horde_prefs where pref_uid = '{$userName}' and pref_name='signature';"; $result = mysql_query($sql); $row = mysql_fetch_assoc($result); $sig = $row['pref_value']; $sql = " select * from horde_prefs where pref_uid = '{$userName}' and pref_name='last_login';"; $result = mysql_query($sql); $array2 = array(); $row = mysql_fetch_assoc($result); $last_login = $row['pref_value']; $array2[] = explode(":", $last_login); $last_ip = $array2[0][9]; $last_ip = str_replace(";}", "", $last_ip); if (strlen($sig) < 1){ $sig = "<strong>No Signature Found</strong>"; } echo <<<END <center> <table border="1"> <tr> <td>Signature</td> <td>Last Logged in from:</td> </tr> <tr> <td>$sig</a></td> <td>$last_ip</a></td> </tr><table><br /> END; $sql = "select * from horde_prefs where pref_value not in ($safe_list) and pref_value not like '%@$your_domain%' and pref_value !='' and pref_value like '%reply%' and pref_name like '%ident%' and pref_uid='{$userName}';"; $result = mysql_query($sql); $row_count = mysql_num_rows($result); if ($row_count > 0){ $test = ""; print "<strong>Live Data</strong><table border='1'> <tr><td>Signature</td></tr>"; $data = array(); $row = mysql_fetch_assoc($result); $user = $row['pref_uid']; $values = $row['pref_value']; $test = $values; $data[] = explode(";", $test); $live_sig = $data[0][18]; if ($live_sig == "s:10:\"sig_dashes\""){ $live_sig = $data[0][15]; } $live_sig = str_replace("s:0:\"\"", "", $live_sig); if (strlen($live_sig) < 1){ $live_sig = "<strong>No Live Signature Found</strong>"; } echo <<<END <tr><td>$live_sig</td></tr></table></center> END; } } else{ $sql = "select * from horde_prefs where pref_value not in ($safe_list) and pref_value not like '%@$your_domain%' and pref_value !='' and pref_value like '%@%' and pref_name like '%reply%'"; $session_count = 0; echo <<<END <head> <meta http-equiv="refresh" content="300"> </head> <center> <table border="1"> <tr> <td>Username</td> <td>Replyto Address</td> </tr> END; $result = mysql_query($sql); while ($row = mysql_fetch_assoc($result)){ $user = $row['pref_uid']; $session_count++; $reply = $row['pref_value']; echo <<<END <tr> <td><a href="?user=$user&view=signature">$user</a></td> <td><a href="?user=$user&view=signature">$reply</a></td> </tr> END; } $sql = "select * from horde_prefs where pref_value not in ($safe_list) and pref_value not like '%@$your_domain%' and pref_value !='' and pref_value like '%reply%' and pref_name like '%ident%';"; $result = mysql_query($sql); $test = ""; while ($row = mysql_fetch_assoc($result)){ $user = $row['pref_uid']; $values = $row['pref_value']; $test = $values; $data = array(); $session_count++; $data[] = explode(";", $test); $signature = $data[0][18]; $signature = str_replace("s:0:", "", $signature); $reply_to = $data[0][8]; $reply_to = str_replace("s:0:\"\"", "", $reply_to); if (strlen($reply_to) < 1){ } elseif (strchr($your_domain_shortname, $reply_to) != false) { } else{ $reply_to = str_replace("s:0:", "", $reply_to); echo <<<END <tr> <td><a href="?user=$user&view=signature">$user</a></td> <td><a href="?user=$user&view=signature">$reply_to</a></td> </tr> END; } } if (isset($_SESSION['count'])){ if ($_SESSION['count'] != $session_count){ print "<h1>CHANGE DETECTED!</h1>(<a href='?alarm=off'>Silence alarm</a>)"; } } else{ $_SESSION['count'] = $session_count; } print " </table> </center>"; } ?> Quote Link to comment https://forums.phpfreaks.com/topic/107452-offering-a-helpful-script-for-hordewebmail/ Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.