1-flash-gallery – Executable File Upload Attack

I started getting warning emails yesterday morning from my hosting company (1and1), by the end of the day they had taken my website down.

Here’s part of the last email I got from them this morning:

1. Analysis of the attack
******************************************************************************
1.1 The hackers processed the attack through a security leak in your software

WordPress plugin: flash gallery

They misused at least the following modules or files of this software:

./mywebsite/wp-content/plugins/1-flash-gallery/upload.php

1.2 Via this security leak, the hackers have uploaded the following malicious
files to your webspace:

./mywebsite/wp-content/uploads/fgallery/20110916171543.php
./mywebsite/wp-content/uploads/fgallery/20110923084726.php
./mywebsite/wp-content/uploads/fgallery/sm3wt4.php
./mywebsite/wp-content/uploads/fgallery/htaccess

1.3 In order to impede further attacks, we have disabled these files. Please
note that part of your websites may be impaired.

1.4 We have unlocked your 1&1 webspace. Please understand that this temporary
lock was necessary to protect your security.

I did have this plugin installed until this morning, but it was not activated.
In a previous email I got from 1and1, they said that a massive number of emails were being sent from my webspace.

I hope this helps in any way.

Version 1.6.2

It’s installed but currently not active

saminmt – it’s possible, because we found that bug and fixed it in the 1.6.0 version

silvioribeiro – please update plugin to 1.7.0 version. And check ./mywebsite/wp-content/uploads/fgallery/ folder permissions

I do not have this plugin installed and still i got this warning yesterday. Is this a real attack? I mean, The attacker actually got into my server or is just a warning from my firewall from a vulnerabilty scan?

How do you guys manage to fix it?

Thanx!

More info for reference. http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=24505