My webspace was compromised through an exploit in the FCKEditor exploit allowing users to upload files for execution.
I guess I just want to know if anyone else has had this problem?
I guess I just want to know if anyone else has had this problem?
Please point us where this exploit is mentioned.
Norman in 't Veldt
Moderator OpenCart Forums
_________________ READ and Search BEFORE POSTING _________________
Our FREE search: Find your answer FAST!.
[How to] BTW + Verzend + betaal setup.
1.1 The hackers processed the attack through a security leak in your script/s
./store/admin/view/javascript/fckeditor/editor/filemanager/connectors/php/connector.php
Creating Files:
./XXXXXXXXXXX/mass.php
./store/system/helper/dompdf/i2.php
./store/image/mass.php
./store/back.php
./store/paypal/* <---- This was a whole directory of files. I'm guessing to scam paypal accounts.
I didn't download the files, I just deleted them and fixed the hole for now.
http://chris.cfwebtools.com/index.cfm/2 ... or-Exploit is the only information I found that was on the subject. I have removed the filemanager folder to disable the script as I don't need/use it anyway. I also got my admin renamed so to prevent these google trollers from finding the easier targets.
http://www.vupen.com/english/advisories/2009/0447
I hope this helps.
./store/admin/view/javascript/fckeditor/editor/filemanager/connectors/php/connector.php
Creating Files:
./XXXXXXXXXXX/mass.php
./store/system/helper/dompdf/i2.php
./store/image/mass.php
./store/back.php
./store/paypal/* <---- This was a whole directory of files. I'm guessing to scam paypal accounts.
I didn't download the files, I just deleted them and fixed the hole for now.
http://chris.cfwebtools.com/index.cfm/2 ... or-Exploit is the only information I found that was on the subject. I have removed the filemanager folder to disable the script as I don't need/use it anyway. I also got my admin renamed so to prevent these google trollers from finding the easier targets.
http://www.vupen.com/english/advisories/2009/0447
I hope this helps.
Found a website that talks directly about the exploit and how it can be locked down.i2Paq wrote:Please point us where this exploit is mentioned.
http://www.electrictoolbox.com/fckedito ... connector/
I just deleted the file manager as my own hole closer. The script is unused on my end and seem to be getting some opencart hacking attention.
Found many search queries trolling for opencart installs lately.
What version of OpenCart do you run?
Norman in 't Veldt
Moderator OpenCart Forums
_________________ READ and Search BEFORE POSTING _________________
Our FREE search: Find your answer FAST!.
[How to] BTW + Verzend + betaal setup.
That just made it click. It must have been from an old install of Opencart that wasn't flushed out because of the change folder name.i2Paq wrote:What version of OpenCart do you run?
Guess when doing upgrades you should check to make sure no old scripts are laying around that get left dorm because the folder has changed.
Oh well - chalk it up to an 8 hour downtime and a heck of a lot of research.
Anyone who started in the older versions of OC, prolly should make sure they don't have the same old scripts as I did.
Thanks i2Paq - So this would be fixed problem, but some upgraded users should be aware that it is lurking. (Someone knew this to know that the old directory would be still intact)...
I have added this + the dompdf vulnerability info to the upgrade instruction when upgrading to 1.4.7 (Here)thehumancpu wrote:Thanks i2Paq - So this would be fixed problem, but some upgraded users should be aware that it is lurking. (Someone knew this to know that the old directory would be still intact)...
Norman in 't Veldt
Moderator OpenCart Forums
_________________ READ and Search BEFORE POSTING _________________
Our FREE search: Find your answer FAST!.
[How to] BTW + Verzend + betaal setup.
Would this be a possible problem in v1.2.9? As I have been the victim of this recently in v1.2.9, but not sure how to fix it.
Sparx Web Solutions - Affordable Web Design & Internet Marketing
New Zealand Web Design
Active Member
Yes, I'm pretty sure fckeditor was not removed until a few versions later.Sheldon.Kirk wrote:Would this be a possible problem in v1.2.9? As I have been the victim of this recently in v1.2.9, but not sure how to fix it.
Ideally you would replace it with ckeditor. I don't know how to do that -it's a job for google search, or maybe someone on here will lend a hand!
As a kind of band-aid, you could try 1) renaming the admin folder and 2) blocking access to admin via htaccess. Details on this shown in this thread http://forum.opencart.com/viewtopic.php?f=19&t=19292
This is suggested on the assumption that the hack exploits direct access to fckeditor via yourdomain/admin/path, as has been pointed out elsewhere on the forum. If it works a different way, that won't help.
The best solution is to upgrade....of course...
Who is online
Users browsing this forum: No registered users and 127 guests