WordPress.org

Ready to get started?Download WordPress

Forums

[closed] 1-flash-gallery - Executable File Upload Attack (25 posts)

  1. Amado.Miami
    Member
    Posted 2 years ago #

    Not certain if this is the right place to post this.

    Getting warning across all my sites for this "1-flash-gallery" plugin
    Web Page: http://www............../wp-content/plugins/1-flash-gallery/upload.php?action=uploadify&fileext=php
    Warning: URL may contain dangerous content!
    Offending IP: 80.243.174.25
    Offending Parameter: $_FILE = index.bak.php

    This may be a "Executable File Upload Attack."

    Do not even have this plug in installed, would be wary of installing this plugin.

  2. Where are you getting this warning from? Just visiting your site or what?

  3. Amado.Miami
    Member
    Posted 2 years ago #

  4. Amado.Miami
    Member
    Posted 2 years ago #

    only administrator on the site sees the warning, not a user visitng the site. I administer about 80 wordpress sites and have seen this come across almost all of them.

  5. esmi
    Theme Diva & Forum Moderator
    Posted 2 years ago #

  6. And to be clear, you do not have http://wordpress.org/extend/plugins/1-flash-gallery/ installed? Did you verify the files aren't on your server?

  7. Amado.Miami
    Member
    Posted 2 years ago #

    I have not installed this plugin on any of the sites which are issuing the warnings. I will check at the server level to ensure it does not exist there.

  8. I don't see anything in the plugin itself that would do this, though arguably if someone tried to use it to upload a file named index.bak.php, that could raise red flags.

    Offending IP: 80.243.174.25

    Wonder who that is...

  9. Amado.Miami
    Member
    Posted 2 years ago #

    Shows it as coming from "Austria", yet the validity of that can be hard to tell

  10. Samuel Wood (Otto)
    Tech Ninja
    Posted 2 years ago #

    The most recent version of the 1-flash-gallery plugin has already patched against this vulnerability.

  11. flash gallery
    Member
    Posted 2 years ago #

    Yes, we've fixed that bug in 1.6.0 version

  12. Daniel Fru?y?ski (sirzooro)
    Member
    Posted 2 years ago #

    Query in RIPE Database shows that IP belongs to ITandTEL DSL Network. Query results include contact info too - you can use it to contact ITandTEL admin.

  13. So ... the odds are someone's trying to attack your site, from that IP, using that file, which doesn't exist on your server anyway.

    Sounds like a repeat of what the idiots did with timthumb. I would consider turning your server's firewall to stop it. I use CSF, which has a tool called ‘Connection Tracking’ that can help.

  14. saminmt
    Member
    Posted 2 years ago #

    I got this warning this morning, emailed to me as "Alert from WordPress Firewall on website.com":

    WordPress Firewall has detected and blocked a potential attack!
    Web Page: website.com//wp-content/plugins/1-flash-gallery/upload.php?action=uploadify&fileext=php
    Warning: URL may contain dangerous content!
    Offending IP: 213.144.230.22 [ Get IP location ]
    Offending Parameter: $_FILE = index.bak.php

    This may be a "Executable File Upload Attack."

    Click here for more information on this type of attack.

    If you suspect this may be a false alarm because of something you recently did, try to confirm by repeating those actions. If so, whitelist it via the "whitelist this variable" link below. This will prevent future false alarms.

    Click here to whitelist this variable.
    Click here to turn off these emails.
    Repeated warnings for similar attacks are currently sent via email, click here to suppress them.

  15. Rev. Voodoo
    Volunteer Moderator
    Posted 2 years ago #

    Do you have that plugin installed?

    Just reread this thread.... it's possibly someone just blindly trying to exploit your site

  16. They did the same thing with TimThumb :/ I ended up tossing in a block on my firewall.

  17. silvioribeiro
    Member
    Posted 2 years ago #

    I started getting warning emails yesterday morning from my hosting company (1and1), by the end of the day they had taken my website down.

    Here's part of the last email I got from them this morning:

    1. Analysis of the attack
    ******************************************************************************
    1.1 The hackers processed the attack through a security leak in your software

    WordPress plugin: flash gallery

    They misused at least the following modules or files of this software:

    ./mywebsite/wp-content/plugins/1-flash-gallery/upload.php

    1.2 Via this security leak, the hackers have uploaded the following malicious
    files to your webspace:

    ./mywebsite/wp-content/uploads/fgallery/20110916171543.php
    ./mywebsite/wp-content/uploads/fgallery/20110923084726.php
    ./mywebsite/wp-content/uploads/fgallery/sm3wt4.php
    ./mywebsite/wp-content/uploads/fgallery/htaccess

    1.3 In order to impede further attacks, we have disabled these files. Please
    note that part of your websites may be impaired.

    1.4 We have unlocked your 1&1 webspace. Please understand that this temporary
    lock was necessary to protect your security.

    I did have this plugin installed until this morning, but it was not activated.
    In a previous email I got from 1and1, they said that a massive number of emails were being sent from my webspace.

    I hope this helps in any way.

  18. flash gallery
    Member
    Posted 2 years ago #

    What is your version of plugin?

  19. silvioribeiro
    Member
    Posted 2 years ago #

    Version 1.6.2

    It's installed but currently not active

  20. saminmt
    Member
    Posted 2 years ago #

    I do not have the 1-flash-gallery plugin installed. I haven't received another notice, so I suspect it was someone checking for vulnerabilities....

  21. flash gallery
    Member
    Posted 2 years ago #

    saminmt - it's possible, because we found that bug and fixed it in the 1.6.0 version

    silvioribeiro - please update plugin to 1.7.0 version. And check ./mywebsite/wp-content/uploads/fgallery/ folder permissions

  22. hossein142001
    Member
    Posted 2 years ago #

    I do not have the 1-flash-gallery plugin installed,But i received such attack Alarm yesterday

  23. HotJoint
    Member
    Posted 2 years ago #

    I do not have this plugin installed and still i got this warning yesterday. Is this a real attack? I mean, The attacker actually got into my server or is just a warning from my firewall from a vulnerabilty scan?

    How do you guys manage to fix it?

    Thanx!

  24. esmi
    Theme Diva & Forum Moderator
    Posted 2 years ago #

    If you do not have this plugin, then you do not have the same issue. Please post your own topic.

  25. hfpon
    Member
    Posted 2 years ago #

Topic Closed

This topic has been closed to new replies.

About this Topic