offering a helpful script for horde(webmail)

[jonsjava]

I wrote this script to help track compromised webmail accounts in horde.  It will show you all compromised accounts. It checks reply-to addresses to see if any accounts may be compromised.  I'm posting it here, because I see the occasional horde issue in these forums.

<?php
session_start();
/* ************************************* */
/* START USER CHANGES                    */
/* ************************************* */
/* User who has access to your horde database */
$username = "user";
$password = "password";
$host = "localhost";
$db = "horde";

/* Your Domain (your_domain_shortname is your domain without the extension [.com, .net, .org, etc.])*/
$your_domain = "mysite.com";
$your_domain_shortname = "mysite";

/* Safe list, separate with a comma */
$safe_list = "'example@domain.com', 'demo@user.org'";

/* Uncomment the following if you want to allow only certian IP addresses */
/*
$allowed = array();
$allowed[] .= "0.0.0.0";
$allowed[] .= "127.0.0.1";
$allowed[] .= "10.10.10.10";
if (!(in_array($_SERVER['REMOTE_ADDR'], $allowed)))
{
header("HTTP/1.0 404 Not Found");
include("/var/www/error/404.php");
exit();

}
*/
/* ************************************* */
/* END USER CHANGES                      */
/* ************************************* */

$link = mysql_connect($host, $username, $password) or die("connection error");
mysql_select_db($db, $link);

if ($_GET['alarm'] == "off"){
        session_destroy();
}

if ($_GET['view'] == "lastlogon"){

}

elseif ($_GET['view'] == "signature"){
        $userName = mysql_real_escape_string($_GET['user']);
        $sql = "select * from horde_prefs where pref_uid = '{$userName}' and pref_name='signature';";
        $result = mysql_query($sql);
        $row = mysql_fetch_assoc($result);
        $sig = $row['pref_value'];
        $sql = " select * from horde_prefs where pref_uid = '{$userName}' and pref_name='last_login';";
        $result = mysql_query($sql);
        $array2 = array();
        $row = mysql_fetch_assoc($result);
        $last_login = $row['pref_value'];
        $array2[] = explode(":", $last_login);
        $last_ip = $array2[0][9];
        $last_ip = str_replace(";}", "", $last_ip);
        if (strlen($sig) < 1){
                $sig = "<strong>No Signature Found</strong>";
}

echo <<<END
<center>
        <table border="1">
                <tr>
                        <td>Signature</td>
                        <td>Last Logged in from:</td>
                </tr>
                <tr>
                        <td>$sig</a></td>
                        <td>$last_ip</a></td>
                </tr><table><br />
END;
$sql = "select * from horde_prefs where pref_value not in ($safe_list) and pref_value not like '%@$your_domain%' and pref_value !='' and pref_value like '%reply%' and pref_name like '%ident%' and pref_uid='{$userName}';";
$result = mysql_query($sql);
$row_count = mysql_num_rows($result);
if ($row_count > 0){
$test = "";
print "<strong>Live Data</strong><table border='1'> <tr><td>Signature</td></tr>";
$data = array();
$row = mysql_fetch_assoc($result);
$user = $row['pref_uid'];
$values = $row['pref_value'];
$test = $values;
$data[] = explode(";", $test);
$live_sig = $data[0][18];
if ($live_sig == "s:10:\"sig_dashes\""){
$live_sig = $data[0][15];
}
$live_sig = str_replace("s:0:\"\"", "", $live_sig);
if (strlen($live_sig) < 1){
$live_sig = "<strong>No Live Signature Found</strong>";
}
echo <<<END
<tr><td>$live_sig</td></tr></table></center>
END;
}
}
else{
$sql = "select * from horde_prefs where pref_value not in ($safe_list) and pref_value not like '%@$your_domain%' and pref_value !='' and pref_value like '%@%' and pref_name like '%reply%'";
$session_count = 0;
echo <<<END
<head>
<meta http-equiv="refresh" content="300">
</head>
<center>
        <table border="1">
                <tr>
                        <td>Username</td>
                        <td>Replyto Address</td>
                </tr>
END;
$result = mysql_query($sql);
while ($row = mysql_fetch_assoc($result)){
        $user = $row['pref_uid'];
        $session_count++;
        $reply = $row['pref_value'];
        echo <<<END
                <tr>
                        <td><a href="?user=$user&view=signature">$user</a></td>
                        <td><a href="?user=$user&view=signature">$reply</a></td>
                </tr>
END;
}
$sql = "select * from horde_prefs where pref_value not in ($safe_list) and pref_value not like '%@$your_domain%' and pref_value !='' and pref_value like '%reply%' and pref_name like '%ident%';";
$result = mysql_query($sql);
$test = "";
while ($row = mysql_fetch_assoc($result)){
$user = $row['pref_uid'];
$values = $row['pref_value'];
$test = $values;
$data = array();
$session_count++;
$data[] = explode(";", $test);
$signature = $data[0][18];
$signature = str_replace("s:0:", "", $signature);
$reply_to = $data[0][8];
$reply_to = str_replace("s:0:\"\"", "", $reply_to);
if (strlen($reply_to) < 1){
}
elseif (strchr($your_domain_shortname, $reply_to) != false)
{
}
else{
$reply_to = str_replace("s:0:", "", $reply_to);
echo <<<END
                <tr>
                        <td><a href="?user=$user&view=signature">$user</a></td>
                        <td><a href="?user=$user&view=signature">$reply_to</a></td>
                </tr>
END;
}
}
if (isset($_SESSION['count'])){
        if ($_SESSION['count'] != $session_count){
        print "<h1>CHANGE DETECTED!</h1>(<a href='?alarm=off'>Silence alarm</a>)";
        }
}
else{
        $_SESSION['count'] = $session_count;
}

        print " </table>
        </center>";
}
?>