Posted 1 year ago #
Not certain if this is the right place to post this.
Getting warning across all my sites for this "1-flash-gallery" plugin
Web Page: http://www............../wp-content/plugins/1-flash-gallery/upload.php?action=uploadify&fileext=php
Warning: URL may contain dangerous content!
Offending IP: 80.243.174.25
Offending Parameter: $_FILE = index.bak.php
This may be a "Executable File Upload Attack."
Do not even have this plug in installed, would be wary of installing this plugin.
Posted 1 year ago #
Where are you getting this warning from? Just visiting your site or what?
Posted 1 year ago #
http://www.seoegghead.com/software/wordpress-firewall.seo
WordPress Firewall Plugin
Posted 1 year ago #
only administrator on the site sees the warning, not a user visitng the site. I administer about 80 wordpress sites and have seen this come across almost all of them.
Posted 1 year ago #
And to be clear, you do not have http://wordpress.org/extend/plugins/1-flash-gallery/ installed? Did you verify the files aren't on your server?
Posted 1 year ago #
I have not installed this plugin on any of the sites which are issuing the warnings. I will check at the server level to ensure it does not exist there.
Posted 1 year ago #
I don't see anything in the plugin itself that would do this, though arguably if someone tried to use it to upload a file named index.bak.php, that could raise red flags.
Offending IP: 80.243.174.25
Wonder who that is...
Posted 1 year ago #
Shows it as coming from "Austria", yet the validity of that can be hard to tell
Posted 1 year ago #
The most recent version of the 1-flash-gallery plugin has already patched against this vulnerability.
Posted 1 year ago #
Yes, we've fixed that bug in 1.6.0 version
Posted 1 year ago #
Query in RIPE Database shows that IP belongs to ITandTEL DSL Network. Query results include contact info too - you can use it to contact ITandTEL admin.
Posted 1 year ago #
So ... the odds are someone's trying to attack your site, from that IP, using that file, which doesn't exist on your server anyway.
Sounds like a repeat of what the idiots did with timthumb. I would consider turning your server's firewall to stop it. I use CSF, which has a tool called ‘Connection Tracking’ that can help.
Posted 1 year ago #
I got this warning this morning, emailed to me as "Alert from WordPress Firewall on website.com":
WordPress Firewall has detected and blocked a potential attack!
Web Page: website.com//wp-content/plugins/1-flash-gallery/upload.php?action=uploadify&fileext=php
Warning: URL may contain dangerous content!
Offending IP: 213.144.230.22 [ Get IP location ]
Offending Parameter: $_FILE = index.bak.php
This may be a "Executable File Upload Attack."
Click here for more information on this type of attack.
If you suspect this may be a false alarm because of something you recently did, try to confirm by repeating those actions. If so, whitelist it via the "whitelist this variable" link below. This will prevent future false alarms.
Click here to whitelist this variable.
Click here to turn off these emails.
Repeated warnings for similar attacks are currently sent via email, click here to suppress them.
Posted 1 year ago #
Do you have that plugin installed?
Just reread this thread.... it's possibly someone just blindly trying to exploit your site
Posted 1 year ago #
They did the same thing with TimThumb :/ I ended up tossing in a block on my firewall.
Posted 1 year ago #
I started getting warning emails yesterday morning from my hosting company (1and1), by the end of the day they had taken my website down.
Here's part of the last email I got from them this morning:
1. Analysis of the attack
******************************************************************************
1.1 The hackers processed the attack through a security leak in your software
WordPress plugin: flash gallery
They misused at least the following modules or files of this software:
./mywebsite/wp-content/plugins/1-flash-gallery/upload.php
1.2 Via this security leak, the hackers have uploaded the following malicious
files to your webspace:
./mywebsite/wp-content/uploads/fgallery/20110916171543.php
./mywebsite/wp-content/uploads/fgallery/20110923084726.php
./mywebsite/wp-content/uploads/fgallery/sm3wt4.php
./mywebsite/wp-content/uploads/fgallery/htaccess
1.3 In order to impede further attacks, we have disabled these files. Please
note that part of your websites may be impaired.
1.4 We have unlocked your 1&1 webspace. Please understand that this temporary
lock was necessary to protect your security.
I did have this plugin installed until this morning, but it was not activated.
In a previous email I got from 1and1, they said that a massive number of emails were being sent from my webspace.
I hope this helps in any way.
Posted 1 year ago #
What is your version of plugin?
Posted 1 year ago #
Version 1.6.2
It's installed but currently not active
Posted 1 year ago #
I do not have the 1-flash-gallery plugin installed. I haven't received another notice, so I suspect it was someone checking for vulnerabilities....
Posted 1 year ago #
saminmt - it's possible, because we found that bug and fixed it in the 1.6.0 version
silvioribeiro - please update plugin to 1.7.0 version. And check ./mywebsite/wp-content/uploads/fgallery/ folder permissions
Posted 1 year ago #
I do not have the 1-flash-gallery plugin installed,But i received such attack Alarm yesterday
Posted 1 year ago #
I do not have this plugin installed and still i got this warning yesterday. Is this a real attack? I mean, The attacker actually got into my server or is just a warning from my firewall from a vulnerabilty scan?
How do you guys manage to fix it?
Thanx!
If you do not have this plugin, then you do not have the same issue. Please post your own topic.
Posted 1 year ago #
More info for reference. http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=24505
This topic has been closed to new replies.
