Howdy, Stranger!
It looks like you're new here. If you want to get involved, click one of these buttons!
Categories
- All Discussions5,118
- Uploadify
- ↳ Implementation Help - Uploadify3,882
- ↳ Bugs - Uploadify685
- ↳ Feature Requests - Uploadify211
- ↳ Showcase - Uploadify85
- UploadiFive
- ↳ Implementation Help - UploadiFive133
- ↳ Bugs - UploadiFive71
- ↳ Feature Requests - UploadiFive37
This forum is a community forum meant for users of the plugin to collaborate and help solve issues with implementation, etc. Unfortunately, as the creator of the plugin, I do not have much time to attend to every request here as this is only a side project and I must work a full-time job to provide for my family. This is how I keep the Flash version free and the HTML5 version low cost.
UploadiFive 1.1.1 has been released which includes a small fix for added support on touch devices including iOS 6 devices.
Hack
-
Hi,
Yesterday morning I realized, that someone put two files on my server (sw.php and zzz.php), that were not created by me.
Checking the logs it looked like someone uploaded them via Uploadify. The scripts uploaded were identical and seam to be called Php filesman.
And you can upload/edit/delete any files on the FTP with it.
The attack seams to be automated, since they found our side with a google search. And uploaded the same script twice and did nothing but check the functionality.
So I guess there are more sites affected.
Maybe it is a configuration issue (exclude *.php)? Or it may be due to the old uploadify version I was using (last update ~ 1 year ago)
Here are the logs (by now I deleted the Uploadify script from the server):
www.gruppenunterkuenfte.de 31.214.234.4 - - [14/May/2012:01:07:58 +0200] "GET /favicon.ico HTTP/1.1" 200 4502 "http://www.gruppenunterkuenfte.de/uploadify/uploadify.swf" "Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.10.229 Version/11.62"
www.gruppenunterkuenfte.de 31.214.234.4 - - [14/May/2012:01:07:58 +0200] "GET /uploadify/uploadify.swf HTTP/1.1" 200 23128 "http://www.google.ru/url?sa=t&rct=j&q=&esrc=s&source=web&cd=16&ved=0CEAQFjAFOAo&url=http://www.gruppenunterkuenfte.de/uploadify/uploadify.swf&ei=wz6wT93EB8yt8QO6lOi0Dw&usg=AFQjCNFRA0o0qVCwZbK8xBd-uQkpAEOkKw&sig2=adWYKNqzPiL2VuuAptLDTg" "Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.10.229 Version/11.62"
www.gruppenunterkuenfte.de 31.214.234.4 - - [14/May/2012:01:15:12 +0200] "GET /uploadify/uploadify.php HTTP/1.1" 200 167 "-" "Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.10.229 Version/11.62"
www.gruppenunterkuenfte.de 31.214.234.4 - - [14/May/2012:01:15:26 +0200] "POST /uploadify/uploadify.php HTTP/1.1" 200 174 "http://test1.ru/z.html" "Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.10.229 Version/11.62"
www.gruppenunterkuenfte.de 31.214.234.4 - - [14/May/2012:01:15:30 +0200] "GET /sw.php HTTP/1.1" 200 307 "-" "Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.10.229 Version/11.62"
www.gruppenunterkuenfte.de 31.214.234.4 - - [14/May/2012:01:15:52 +0200] "POST /sw.php HTTP/1.1" 200 41862 "http://www.gruppenunterkuenfte.de/sw.php" "Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.10.229 Version/11.62"
www.gruppenunterkuenfte.de 31.214.234.4 - - [14/May/2012:01:15:55 +0200] "POST /sw.php HTTP/1.1" 200 33550 "http://www.gruppenunterkuenfte.de/sw.php" "Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.10.229 Version/11.62"
www.gruppenunterkuenfte.de 31.214.234.4 - - [14/May/2012:01:20:22 +0200] "GET /index.html HTTP/1.1" 200 10434 "http://www.gruppenunterkuenfte.de/" "Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.10.229 Version/11.62"
www.gruppenunterkuenfte.de 31.214.234.4 - - [14/May/2012:01:20:25 +0200] "GET /img-gruppenhaus/h600px/Bildungszentrum-Elstal-__t7537.jpg HTTP/1.1" 200 55391 "http://www.gruppenunterkuenfte.de/index.html" "Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.10.229 Version/11.62"
www.gruppenunterkuenfte.de 31.214.234.4 - - [14/May/2012:01:40:48 +0200] "GET /uploadify/uploadify.swf HTTP/1.1" 200 25643 "https://www.google.ru/url?sa=t&rct=j&q=&esrc=s&source=web&cd=38&ved=0CEQQFjAHOB4&url=https://www.gruppenunterkuenfte.de/uploadify/uploadify.swf&ei=yESwT44TxYTyA-ux2aAJ&usg=AFQjCNGAlP0IxFrCNxv4u7DCRGiJxaFD2w&sig2=YvKP_GJ5lg-1qL8gAVRqWQ" "Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.10.229 Version/11.62"
www.gruppenunterkuenfte.de 31.214.234.4 - - [14/May/2012:01:40:49 +0200] "GET /favicon.ico HTTP/1.1" 200 4685 "https://www.gruppenunterkuenfte.de/uploadify/uploadify.swf" "Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.10.229 Version/11.62"
www.gruppenunterkuenfte.de 31.214.234.4 - - [14/May/2012:01:42:01 +0200] "GET /uploadify/uploadify.php HTTP/1.1" 200 2632 "-" "Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.10.229 Version/11.62"
www.gruppenunterkuenfte.de 31.214.234.4 - - [14/May/2012:01:42:27 +0200] "POST /uploadify/uploadify.php HTTP/1.1" 200 452 "http://test1.ru/z.html" "Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.10.229 Version/11.62"
www.gruppenunterkuenfte.de 31.214.234.4 - - [14/May/2012:01:42:34 +0200] "GET /zzz.php HTTP/1.1" 200 43142 "-" "Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.10.229 Version/11.62" -
The exact same thing happened to me last Sunday (May 13)... I'm still figuring out the damage... I removed the Uploadify folder for now until I resolve the issue ... Did you noticed the specific files they access or if they gained access to your DB?
My current solution so far is to add a session validation on uploadify.php -
No, they did not get access to the DB. The entries in the log above are all there were. So I can tell, they just accessed the front page of their tool (most likely automated).
For me the solution was to delete the Uploadify scripts, since I'm not using it anymore for quite a time now. It was just left on the server.
