Page 1 of 1

FCKEditor Exploit - How do I remove FCK Editor all together?

Posted: Tue Jul 13, 2010 9:37 pm
by thehumancpu
My webspace was compromised through an exploit in the FCKEditor exploit allowing users to upload files for execution.

I guess I just want to know if anyone else has had this problem?

Re: FCKEditor Exploit - How do I remove FCK Editor all toget

Posted: Tue Jul 13, 2010 9:48 pm
by i2Paq
Please point us where this exploit is mentioned.

Re: FCKEditor Exploit - How do I remove FCK Editor all toget

Posted: Tue Jul 13, 2010 10:33 pm
by thehumancpu
1.1 The hackers processed the attack through a security leak in your script/s

./store/admin/view/javascript/fckeditor/editor/filemanager/connectors/php/connector.php

Creating Files:

./XXXXXXXXXXX/mass.php
./store/system/helper/dompdf/i2.php
./store/image/mass.php
./store/back.php
./store/paypal/* <---- This was a whole directory of files. I'm guessing to scam paypal accounts.

I didn't download the files, I just deleted them and fixed the hole for now.

http://chris.cfwebtools.com/index.cfm/2 ... or-Exploit is the only information I found that was on the subject. I have removed the filemanager folder to disable the script as I don't need/use it anyway. I also got my admin renamed so to prevent these google trollers from finding the easier targets.

http://www.vupen.com/english/advisories/2009/0447

I hope this helps.

Re: FCKEditor Exploit - How do I remove FCK Editor all toget

Posted: Wed Jul 14, 2010 1:05 am
by thehumancpu
i2Paq wrote:Please point us where this exploit is mentioned.
Found a website that talks directly about the exploit and how it can be locked down.

http://www.electrictoolbox.com/fckedito ... connector/

I just deleted the file manager as my own hole closer. The script is unused on my end and seem to be getting some opencart hacking attention.

Found many search queries trolling for opencart installs lately.

Re: FCKEditor Exploit - How do I remove FCK Editor all toget

Posted: Wed Jul 14, 2010 2:27 am
by i2Paq
What version of OpenCart do you run?

Re: FCKEditor Exploit - How do I remove FCK Editor all toget

Posted: Wed Jul 14, 2010 3:22 am
by thehumancpu
i2Paq wrote:What version of OpenCart do you run?
That just made it click. It must have been from an old install of Opencart that wasn't flushed out because of the change folder name.

Guess when doing upgrades you should check to make sure no old scripts are laying around that get left dorm because the folder has changed.

Oh well - chalk it up to an 8 hour downtime and a heck of a lot of research.

Anyone who started in the older versions of OC, prolly should make sure they don't have the same old scripts as I did.

Thanks i2Paq - So this would be fixed problem, but some upgraded users should be aware that it is lurking. (Someone knew this to know that the old directory would be still intact)...

Re: FCKEditor Exploit - How do I remove FCK Editor all toget

Posted: Wed Jul 14, 2010 4:39 am
by i2Paq
thehumancpu wrote:Thanks i2Paq - So this would be fixed problem, but some upgraded users should be aware that it is lurking. (Someone knew this to know that the old directory would be still intact)...
I have added this + the dompdf vulnerability info to the upgrade instruction when upgrading to 1.4.7 (Here)

Re: FCKEditor Exploit - How do I remove FCK Editor all toget

Posted: Tue Nov 02, 2010 11:00 am
by Sheldon.Kirk
Would this be a possible problem in v1.2.9? As I have been the victim of this recently in v1.2.9, but not sure how to fix it.

Re: FCKEditor Exploit - How do I remove FCK Editor all toget

Posted: Tue Nov 02, 2010 8:05 pm
by Moggin
Sheldon.Kirk wrote:Would this be a possible problem in v1.2.9? As I have been the victim of this recently in v1.2.9, but not sure how to fix it.
Yes, I'm pretty sure fckeditor was not removed until a few versions later.
Ideally you would replace it with ckeditor. I don't know how to do that -it's a job for google search, or maybe someone on here will lend a hand!

As a kind of band-aid, you could try 1) renaming the admin folder and 2) blocking access to admin via htaccess. Details on this shown in this thread http://forum.opencart.com/viewtopic.php?f=19&t=19292

This is suggested on the assumption that the hack exploits direct access to fckeditor via yourdomain/admin/path, as has been pointed out elsewhere on the forum. If it works a different way, that won't help.

The best solution is to upgrade....of course...