Title: 1-flash-gallery – Executable File Upload Attack Last modified: August 20, 2016 --- # 1-flash-gallery – Executable File Upload Attack * [Amado.Miami](https://wordpress.org/support/users/amadomiami/) * (@amadomiami) * [14 years, 8 months ago](https://wordpress.org/support/topic/1-flash-gallery-executable-file-upload-attack/) * Not certain if this is the right place to post this. * Getting warning across all my sites for this “1-flash-gallery” plugin Web Page: www…………../wp-content/plugins/1-flash-gallery/upload.php?action=uploadify&fileext =php Warning: URL may contain dangerous content! Offending IP: 80.243.174.25 Offending Parameter: $_FILE = index.bak.php * This may be a “Executable File Upload Attack.” * Do not even have this plug in installed, would be wary of installing this plugin. Viewing 15 replies - 1 through 15 (of 24 total) 1 [2](https://wordpress.org/support/topic/1-flash-gallery-executable-file-upload-attack/page/2/?output_format=md) [→](https://wordpress.org/support/topic/1-flash-gallery-executable-file-upload-attack/page/2/?output_format=md) * Moderator [Ipstenu (Mika Epstein)](https://wordpress.org/support/users/ipstenu/) * (@ipstenu) * 🏳️‍🌈 Advisor and Activist * [14 years, 8 months ago](https://wordpress.org/support/topic/1-flash-gallery-executable-file-upload-attack/#post-2319401) * Where are you getting this warning from? Just visiting your site or what? * Thread Starter [Amado.Miami](https://wordpress.org/support/users/amadomiami/) * (@amadomiami) * [14 years, 8 months ago](https://wordpress.org/support/topic/1-flash-gallery-executable-file-upload-attack/#post-2319406) * [http://www.seoegghead.com/software/wordpress-firewall.seo](http://www.seoegghead.com/software/wordpress-firewall.seo) * WordPress Firewall Plugin * Thread Starter [Amado.Miami](https://wordpress.org/support/users/amadomiami/) * (@amadomiami) * [14 years, 8 months ago](https://wordpress.org/support/topic/1-flash-gallery-executable-file-upload-attack/#post-2319407) * only administrator on the site sees the warning, not a user visitng the site. I administer about 80 wordpress sites and have seen this come across almost all of them. * [esmi](https://wordpress.org/support/users/esmi/) * (@esmi) * [14 years, 8 months ago](https://wordpress.org/support/topic/1-flash-gallery-executable-file-upload-attack/#post-2319408) * Also at [http://wordpress.org/extend/plugins/wordpress-firewall/](http://wordpress.org/extend/plugins/wordpress-firewall/) * Moderator [Ipstenu (Mika Epstein)](https://wordpress.org/support/users/ipstenu/) * (@ipstenu) * 🏳️‍🌈 Advisor and Activist * [14 years, 8 months ago](https://wordpress.org/support/topic/1-flash-gallery-executable-file-upload-attack/#post-2319412) * And to be clear, you _do not_ have [http://wordpress.org/extend/plugins/1-flash-gallery/](http://wordpress.org/extend/plugins/1-flash-gallery/) installed? Did you verify the files aren’t on your server? * Thread Starter [Amado.Miami](https://wordpress.org/support/users/amadomiami/) * (@amadomiami) * [14 years, 8 months ago](https://wordpress.org/support/topic/1-flash-gallery-executable-file-upload-attack/#post-2319413) * I have not installed this plugin on any of the sites which are issuing the warnings. I will check at the server level to ensure it does not exist there. * Moderator [Ipstenu (Mika Epstein)](https://wordpress.org/support/users/ipstenu/) * (@ipstenu) * 🏳️‍🌈 Advisor and Activist * [14 years, 8 months ago](https://wordpress.org/support/topic/1-flash-gallery-executable-file-upload-attack/#post-2319414) * I don’t see anything in the plugin itself that would do this, though arguably if someone tried to use it to upload a file named index.bak.php, that could raise red flags. * > Offending IP: 80.243.174.25 * Wonder who that is… * Thread Starter [Amado.Miami](https://wordpress.org/support/users/amadomiami/) * (@amadomiami) * [14 years, 8 months ago](https://wordpress.org/support/topic/1-flash-gallery-executable-file-upload-attack/#post-2319416) * Shows it as coming from “Austria”, yet the validity of that can be hard to tell * Moderator [Samuel Wood (Otto)](https://wordpress.org/support/users/otto42/) * (@otto42) * WordPress.org Admin * [14 years, 8 months ago](https://wordpress.org/support/topic/1-flash-gallery-executable-file-upload-attack/#post-2319418) * The most recent version of the 1-flash-gallery plugin has already patched against this vulnerability. * [flash gallery](https://wordpress.org/support/users/flash-gallery/) * (@flash-gallery) * [14 years, 8 months ago](https://wordpress.org/support/topic/1-flash-gallery-executable-file-upload-attack/#post-2319563) * Yes, we’ve fixed that bug in 1.6.0 version * [SirZooro](https://wordpress.org/support/users/sirzooro/) * (@sirzooro) * [14 years, 8 months ago](https://wordpress.org/support/topic/1-flash-gallery-executable-file-upload-attack/#post-2319567) * Query in [RIPE Database](http://apps.db.ripe.net/search/query.html) shows that IP belongs to ITandTEL DSL Network. Query results include contact info too – you can use it to contact ITandTEL admin. * Moderator [Ipstenu (Mika Epstein)](https://wordpress.org/support/users/ipstenu/) * (@ipstenu) * 🏳️‍🌈 Advisor and Activist * [14 years, 8 months ago](https://wordpress.org/support/topic/1-flash-gallery-executable-file-upload-attack/#post-2319599) * So … the odds are someone’s trying to attack your site, from that IP, using that file, which doesn’t exist on your server anyway. * Sounds like a repeat of what the idiots did with timthumb. I would consider turning your server’s firewall to stop it. I use CSF, which has a tool called ‘Connection Tracking’ that can help. * [saminmt](https://wordpress.org/support/users/saminmt/) * (@saminmt) * [14 years, 7 months ago](https://wordpress.org/support/topic/1-flash-gallery-executable-file-upload-attack/#post-2319779) * I got this warning this morning, emailed to me as “Alert from WordPress Firewall on website.com”: * WordPress Firewall has detected and blocked a potential attack! Web Page: website. com//wp-content/plugins/1-flash-gallery/upload.php?action=uploadify&fileext=php Warning: URL may contain dangerous content! Offending IP: 213.144.230.22 [ Get IP location ] Offending Parameter: $_FILE = index.bak.php * This may be a “Executable File Upload Attack.” * Click here for more information on this type of attack. * If you suspect this may be a false alarm because of something you recently did, try to confirm by repeating those actions. If so, whitelist it via the “whitelist this variable” link below. This will prevent future false alarms. * Click here to whitelist this variable. Click here to turn off these emails. Repeated warnings for similar attacks are currently sent via email, click here to suppress them. * [Rev. Voodoo](https://wordpress.org/support/users/rvoodoo/) * (@rvoodoo) * [14 years, 7 months ago](https://wordpress.org/support/topic/1-flash-gallery-executable-file-upload-attack/#post-2319780) * Do you have that plugin installed? * Just reread this thread…. it’s possibly someone just blindly trying to exploit your site * Moderator [Ipstenu (Mika Epstein)](https://wordpress.org/support/users/ipstenu/) * (@ipstenu) * 🏳️‍🌈 Advisor and Activist * [14 years, 7 months ago](https://wordpress.org/support/topic/1-flash-gallery-executable-file-upload-attack/#post-2319781) * They did the same thing with TimThumb :/ I ended up tossing in a block on my firewall. Viewing 15 replies - 1 through 15 (of 24 total) 1 [2](https://wordpress.org/support/topic/1-flash-gallery-executable-file-upload-attack/page/2/?output_format=md) [→](https://wordpress.org/support/topic/1-flash-gallery-executable-file-upload-attack/page/2/?output_format=md) The topic ‘1-flash-gallery – Executable File Upload Attack’ is closed to new replies. * In: [Requests and Feedback](https://wordpress.org/support/forum/requests-and-feedback/) * 24 replies * 12 participants * Last reply from: [hfpon](https://wordpress.org/support/users/hfpon/) * Last activity: [14 years, 4 months ago](https://wordpress.org/support/topic/1-flash-gallery-executable-file-upload-attack/page/2/#post-2319859) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics