CKEditor 4
Tue, 08/14/2007 - 02:54
#1
ashler
ashler's picture
Joined: 14/08/2007
Posts: 6

Am I being hacked??

Firstly, I am new to fckEditor. Secondly, I am reasonably new to web development. Thirdly, I have spent ages scouring this forum and the web looking for a concrete answer to what I am about to ask, and although some sites or posts seem to point to an answer I am still confused.

I am running fckEditor on an asp page that writes a feedback form to an access mdb. I recently found a whole bunch of records in my mdb that look something like the following:

At last...
<a href= ></a> *

Now, I am pretty sure I am the victim of a vulnerability exploitation, and I have looked at my fckEditor setup but can't find any sign of actual malicious damage. Can someone please explain to me what these guys are doing, how I can check if they have been successful, and how can I ensure they don't do it in the future? I am using the newest fckEditor release, my filemanager is disabled, and the fckEditor tree is in my web root (which I now understand could be a problem from what I have read on here).

This really has got me baffled, so a detailed explanation would be appreciated. I apologise for having to ask and not being able to figure this out from previous posts, and maybe it is the late hour, but I am just unsure of what is actually happening here.

Ash.
Top
Tue, 08/14/2007 - 03:10
n00b32
n00b32's picture
Joined: 14/08/2007
Posts: 23

Re: Am I being hacked??





:)
Top
Tue, 08/14/2007 - 03:14
ashler
ashler's picture
Joined: 14/08/2007
Posts: 6

Re: Am I being hacked??

I am taking the output from the fcked object, testing it for SQL injection, then using it in a constructed SQL insert statement that writes it to the mdb along with a few text and id fields.

Using the execute method of a connection object for the insert, if that helps.

Ash.
Top
Tue, 08/14/2007 - 03:18
n00b32
n00b32's picture
Joined: 14/08/2007
Posts: 23

Re: Am I being hacked??

um ok.. so there is no sql injection ?

then what seems to be the problem cause i dont get it ? xDDD
Top
Tue, 08/14/2007 - 03:20
n00b32
n00b32's picture
Joined: 14/08/2007
Posts: 23

Re: Am I being hacked??

can you show me what code you use for the anti-sql inject??
Top
Tue, 08/14/2007 - 03:28
ashler
ashler's picture
Joined: 14/08/2007
Posts: 6

Re: Am I being hacked??

The SQL injection test is a basic one just using a replace function to capture single quotes. On submit, the asp captures the form values and does:

Message = Replace(request("fckEditor1"),"'","''")

Its very basic, but cuts out the obvious attempts.

I don't get it either to be honest, as I can't find any sign of damage, files being uploaded, or my mdb being attacked, but the messages in the records on my mdb give the impression that the guys doing this have found something and are exploiting it. Some examples are:

Ni hao!
Check this out!
<a href= ></a>,
----------

And some more..
<a href= ></a> *
--------

At last...
<a href= ></a> *
--------

Salaam!
Check this out!
<a href= ></a>,
--------

Watch Them!
<a href= ></a> *

and so on and so on. There are dozens of them, and I just get the feeling I am missing something and that they are using my site for something beyond my understanding of the fckEditor. It is only the field that uses the fckEditor as its source that is displaying these messages, so I don't think it is a random SQL injection attempt. They seem to be targeting fcked, and I don't know enough about it to really know if anything is being abused or not.

Ash.
Top
Tue, 08/14/2007 - 03:37
n00b32
n00b32's picture
Joined: 14/08/2007
Posts: 23

Re: Am I being hacked??

do those records do you any harm ? i mean why are you so concerned about them why do you think it is a sql inject ? i think it is just spam.
Top
Tue, 08/14/2007 - 03:40
n00b32
n00b32's picture
Joined: 14/08/2007
Posts: 23

Re: Am I being hacked??



:)
Top
Tue, 08/14/2007 - 03:44
ashler
ashler's picture
Joined: 14/08/2007
Posts: 6

Re: Am I being hacked??

That sounds more like it... I am not worried about the records, nor the sql injection. I should have made myself more clear I guess. I am worried that they are able to abuse something in fckeditor by using the href parameter of a hyperlink tag to launch something like javascript or php and interrogate my site, or possibly that they are accessing the filemanager components of fcked to upload to my site or navigate my file structure... I have seen articles that suggested these things have been possible with fckEditor, I just haven't seen anyone with the same symptoms as mine.

I believe you when you say fckEditor isn't the cause, I just wasn't sure what I was missing in controlling the situation.

Thanks for your help
Top
Tue, 08/14/2007 - 03:51
n00b32
n00b32's picture
Joined: 14/08/2007
Posts: 23

Re: Am I being hacked??

:):)





:)
Top
Tue, 08/14/2007 - 03:55
n00b32
n00b32's picture
Joined: 14/08/2007
Posts: 23

Re: Am I being hacked??

:)
Top
Tue, 08/14/2007 - 03:56
ashler
ashler's picture
Joined: 14/08/2007
Posts: 6

Re: Am I being hacked??



:D

Top
Tue, 08/14/2007 - 03:57
n00b32
n00b32's picture
Joined: 14/08/2007
Posts: 23

Re: Am I being hacked??

:)
Top
Tue, 08/14/2007 - 03:59
n00b32
n00b32's picture
Joined: 14/08/2007
Posts: 23

Re: Am I being hacked??

:)
Top
Tue, 08/14/2007 - 10:49
ashler
ashler's picture
Joined: 14/08/2007
Posts: 6

Re: Am I being hacked??

Could you post a link to a download site, or is it a purchase? I would be interested to have a look.
Top
Tue, 08/14/2007 - 10:56
alfonsoml
alfonsoml's picture
Joined: 31/12/2006
Posts: 3735

Re: Am I being hacked??

Ashler wrote:Firstly, I am new to fckEditor. Secondly, I am reasonably new to web development. Thirdly, I have spent ages scouring this forum and the web looking for a concrete answer to what I am about to ask, and although some sites or posts seem to point to an answer I am still confused.

I am running fckEditor on an asp page that writes a feedback form to an access mdb. I recently found a whole bunch of records in my mdb that look something like the following:

At last...
<a href= ></a> *

Now, I am pretty sure I am the victim of a vulnerability exploitation, and I have looked at my fckEditor setup but can't find any sign of actual malicious damage. Can someone please explain to me what these guys are doing, how I can check if they have been successful, and how can I ensure they don't do it in the future? I am using the newest fckEditor release, my filemanager is disabled, and the fckEditor tree is in my web root (which I now understand could be a problem from what I have read on here).

This really has got me baffled, so a detailed explanation would be appreciated. I apologise for having to ask and not being able to figure this out from previous posts, and maybe it is the late hour, but I am just unsure of what is actually happening here.

Ash.


If you have left disabled the filemanager you are way ahead of too many other people that enable it and leave it unprotected.
I wouldn't use FCKeditor for a contact form, instead I would use a plain textarea and then when storing the contents posted escape them using server.HTMLencode, that's the safest solution (apart from watching from SQL injections)

And now back to the problem: Are you sure that they are posting empty links?
the behavior that you have described looks like typical spammers that fill out any contact form that they can find with lots of links to their servers hoping that the links will be shown again to the visitors or to the crawling robots, and they are harmless (although a PITA). In order to get ride of them you can try to add some kind of CAPTCHA (including just one text box asking to fill the url of your domain, spam bots won't recognize it and humans are able to copy & paste)
Top
Tue, 08/14/2007 - 14:32
n00b32
n00b32's picture
Joined: 14/08/2007
Posts: 23

Re: Am I being hacked??

:)
Top
Tue, 08/14/2007 - 14:33
n00b32
n00b32's picture
Joined: 14/08/2007
Posts: 23

Re: Am I being hacked??




http://phpclasses.toperz.pl/browse/package/3717.html
http://phpclasses.toperz.pl/browse/package/2189.html
Top
Tue, 08/14/2007 - 16:52
alfonsoml
alfonsoml's picture
Joined: 31/12/2006
Posts: 3735

Re: Am I being hacked??

n00b32 wrote:that will not make the site hack-safe. you have to clean up html for xss. period. :)


Top
Tue, 08/14/2007 - 20:53
n00b32
n00b32's picture
Joined: 14/08/2007
Posts: 23

Re: Am I being hacked??



:)
Top
Wed, 08/15/2007 - 03:35
n00b32
n00b32's picture
Joined: 14/08/2007
Posts: 23

Re: Am I being hacked??

http://htmlpurifier.org/
Top
Tue, 11/06/2007 - 21:52
alpha2zee
alpha2zee's picture
Joined: 06/11/2007
Posts: 2

Re: Am I being hacked??

htmLawed
Top
Twitter Facebook Facebook Instagram Medium Linkedin GitHub Arrow down Phone Menu Close icon Check