Post by thehumancpu » Tue Jul 13, 2010 9:37 pm

My webspace was compromised through an exploit in the FCKEditor exploit allowing users to upload files for execution.

I guess I just want to know if anyone else has had this problem?

New member

Posts

Joined
Mon Oct 19, 2009 10:59 am

Post by i2Paq » Tue Jul 13, 2010 9:48 pm

Please point us where this exploit is mentioned.

Norman in 't Veldt
Moderator OpenCart Forums

_________________ READ and Search BEFORE POSTING _________________

Our FREE search: Find your answer FAST!.

[How to] BTW + Verzend + betaal setup.


User avatar
Global Moderator

Posts

Joined
Mon Nov 09, 2009 7:00 pm
Location - Winkel - The Netherlands

Post by thehumancpu » Tue Jul 13, 2010 10:33 pm

1.1 The hackers processed the attack through a security leak in your script/s

./store/admin/view/javascript/fckeditor/editor/filemanager/connectors/php/connector.php

Creating Files:

./XXXXXXXXXXX/mass.php
./store/system/helper/dompdf/i2.php
./store/image/mass.php
./store/back.php
./store/paypal/* <---- This was a whole directory of files. I'm guessing to scam paypal accounts.

I didn't download the files, I just deleted them and fixed the hole for now.

http://chris.cfwebtools.com/index.cfm/2 ... or-Exploit is the only information I found that was on the subject. I have removed the filemanager folder to disable the script as I don't need/use it anyway. I also got my admin renamed so to prevent these google trollers from finding the easier targets.

http://www.vupen.com/english/advisories/2009/0447

I hope this helps.

New member

Posts

Joined
Mon Oct 19, 2009 10:59 am

Post by thehumancpu » Wed Jul 14, 2010 1:05 am

i2Paq wrote:Please point us where this exploit is mentioned.
Found a website that talks directly about the exploit and how it can be locked down.

http://www.electrictoolbox.com/fckedito ... connector/

I just deleted the file manager as my own hole closer. The script is unused on my end and seem to be getting some opencart hacking attention.

Found many search queries trolling for opencart installs lately.

New member

Posts

Joined
Mon Oct 19, 2009 10:59 am

Post by i2Paq » Wed Jul 14, 2010 2:27 am

What version of OpenCart do you run?

Norman in 't Veldt
Moderator OpenCart Forums

_________________ READ and Search BEFORE POSTING _________________

Our FREE search: Find your answer FAST!.

[How to] BTW + Verzend + betaal setup.


User avatar
Global Moderator

Posts

Joined
Mon Nov 09, 2009 7:00 pm
Location - Winkel - The Netherlands

Post by thehumancpu » Wed Jul 14, 2010 3:22 am

i2Paq wrote:What version of OpenCart do you run?
That just made it click. It must have been from an old install of Opencart that wasn't flushed out because of the change folder name.

Guess when doing upgrades you should check to make sure no old scripts are laying around that get left dorm because the folder has changed.

Oh well - chalk it up to an 8 hour downtime and a heck of a lot of research.

Anyone who started in the older versions of OC, prolly should make sure they don't have the same old scripts as I did.

Thanks i2Paq - So this would be fixed problem, but some upgraded users should be aware that it is lurking. (Someone knew this to know that the old directory would be still intact)...

New member

Posts

Joined
Mon Oct 19, 2009 10:59 am

Post by i2Paq » Wed Jul 14, 2010 4:39 am

thehumancpu wrote:Thanks i2Paq - So this would be fixed problem, but some upgraded users should be aware that it is lurking. (Someone knew this to know that the old directory would be still intact)...
I have added this + the dompdf vulnerability info to the upgrade instruction when upgrading to 1.4.7 (Here)

Norman in 't Veldt
Moderator OpenCart Forums

_________________ READ and Search BEFORE POSTING _________________

Our FREE search: Find your answer FAST!.

[How to] BTW + Verzend + betaal setup.


User avatar
Global Moderator

Posts

Joined
Mon Nov 09, 2009 7:00 pm
Location - Winkel - The Netherlands

Post by Sheldon.Kirk » Tue Nov 02, 2010 11:00 am

Would this be a possible problem in v1.2.9? As I have been the victim of this recently in v1.2.9, but not sure how to fix it.

Image

Sparx Web Solutions - Affordable Web Design & Internet Marketing

New Zealand Web Design


User avatar
Active Member

Posts

Joined
Fri Jul 03, 2009 5:58 am
Location - Tauranga, New Zealand

Post by Moggin » Tue Nov 02, 2010 8:05 pm

Sheldon.Kirk wrote:Would this be a possible problem in v1.2.9? As I have been the victim of this recently in v1.2.9, but not sure how to fix it.
Yes, I'm pretty sure fckeditor was not removed until a few versions later.
Ideally you would replace it with ckeditor. I don't know how to do that -it's a job for google search, or maybe someone on here will lend a hand!

As a kind of band-aid, you could try 1) renaming the admin folder and 2) blocking access to admin via htaccess. Details on this shown in this thread http://forum.opencart.com/viewtopic.php?f=19&t=19292

This is suggested on the assumption that the hack exploits direct access to fckeditor via yourdomain/admin/path, as has been pointed out elsewhere on the forum. If it works a different way, that won't help.

The best solution is to upgrade....of course...

Active Member

Posts

Joined
Wed May 05, 2010 4:56 am
Who is online

Users browsing this forum: No registered users and 127 guests