Support » Requests and Feedback » 1-flash-gallery – Executable File Upload Attack

Viewing 15 replies - 1 through 15 (of 24 total)
  • Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    Lead Plugin Wrangler

    Where are you getting this warning from? Just visiting your site or what?

    only administrator on the site sees the warning, not a user visitng the site. I administer about 80 wordpress sites and have seen this come across almost all of them.

    esmi

    (@esmi)

    Forum Moderator

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    Lead Plugin Wrangler

    And to be clear, you do not have http://wordpress.org/extend/plugins/1-flash-gallery/ installed? Did you verify the files aren’t on your server?

    I have not installed this plugin on any of the sites which are issuing the warnings. I will check at the server level to ensure it does not exist there.

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    Lead Plugin Wrangler

    I don’t see anything in the plugin itself that would do this, though arguably if someone tried to use it to upload a file named index.bak.php, that could raise red flags.

    Offending IP: 80.243.174.25

    Wonder who that is…

    Shows it as coming from “Austria”, yet the validity of that can be hard to tell

    The most recent version of the 1-flash-gallery plugin has already patched against this vulnerability.

    Yes, we’ve fixed that bug in 1.6.0 version

    Query in RIPE Database shows that IP belongs to ITandTEL DSL Network. Query results include contact info too – you can use it to contact ITandTEL admin.

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    Lead Plugin Wrangler

    So … the odds are someone’s trying to attack your site, from that IP, using that file, which doesn’t exist on your server anyway.

    Sounds like a repeat of what the idiots did with timthumb. I would consider turning your server’s firewall to stop it. I use CSF, which has a tool called ‘Connection Tracking’ that can help.

    I got this warning this morning, emailed to me as “Alert from WordPress Firewall on website.com”:

    WordPress Firewall has detected and blocked a potential attack!
    Web Page: website.com//wp-content/plugins/1-flash-gallery/upload.php?action=uploadify&fileext=php
    Warning: URL may contain dangerous content!
    Offending IP: 213.144.230.22 [ Get IP location ]
    Offending Parameter: $_FILE = index.bak.php

    This may be a “Executable File Upload Attack.”

    Click here for more information on this type of attack.

    If you suspect this may be a false alarm because of something you recently did, try to confirm by repeating those actions. If so, whitelist it via the “whitelist this variable” link below. This will prevent future false alarms.

    Click here to whitelist this variable.
    Click here to turn off these emails.
    Repeated warnings for similar attacks are currently sent via email, click here to suppress them.

    Do you have that plugin installed?

    Just reread this thread…. it’s possibly someone just blindly trying to exploit your site

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    Lead Plugin Wrangler

    They did the same thing with TimThumb :/ I ended up tossing in a block on my firewall.

Viewing 15 replies - 1 through 15 (of 24 total)
  • The topic ‘1-flash-gallery – Executable File Upload Attack’ is closed to new replies.