Another Russian Invasion – WordPress Uploadify Targeted

Today I woke up to see hundreds of alerts on my firewall. Today it seems that the WordPress plugin Uploadify is being hammered for an old vulnerability. According to SEO Egg Head, who created the firewall that I use, most of these current attacks are coming from Izhevsk Udmurt in the Russian Federation. Of course, they could come from anywhere!

Here are some URLs that have been hit this morning:

Plugins with Uploadify

  • /wp-content/plugins/uploadify/includes/process_upload.php
  • /wp-content/plugins/uploader/uploadify.php
  • /wp-content/plugins/qr-color-code-generator-basic/QR-Color-Code-Generator/uploadify/uploadify.php
  • /wp-content/plugins/wp-property/third-party/uploadify/uploadify.php
  • /wp-content/plugins/pods/js/uploadify.php
  • /wp-content/plugins/nmedia-user-file-uploader/js/uploadify/uploadify.php
  • /wp-content/plugins/motorcycle-inventory/uploadify/uploadify.php
  • /wp-content/plugins/wordpress-member-private-conversation/js/uploadify/uploadify.php
  • /wp-content/plugins/wpmarketplace/uploadify/uploadify.php
  • /wp-content/plugins/lbg-vp2-html5-bottom/js/uploadify/uploadify.php
  • /wp-content/plugins/kish-multi/uploadify/scripts/uploadify.php
  • /wp-content/plugins/image-symlinks/uploadify/uploadify.php
  • /wp-content/plugins/html5avmanager/lib/uploadify/custom.php
  • /wp-content/plugins/gpress/gpress-admin/fieldtypes/image_upload/scripts/uploadify.php
  • /wp-content/plugins/1-flash-gallery/js/uploadify/uploadify.php
  • /wp-content/plugins/squace-mobile-publishing-plugin-for-wordpress/uploadify.php
  • /wp-content/plugins/annonces/includes/lib/uploadify/uploadify.php
  • /wp-content/plugins/apptivo-business-site/inc/jobs/files/uploadify/uploadify.php
  • /wp-content/plugins/bulletproof-security/admin/uploadify/uploadify.php

Themes with Uploadify

  • /wp-content/themes/fresh_trailers/uploadify.php
  • /wp-content/themes/aim-theme/lib/js/old/uploadify.php
  • /wp-content/themes/zcool-like/uploadify.php
  • /wp-content/themes/pronto/cjl/pronto/uploadify/uploadify.php
  • /wp-content/themes/wpnavigator/scripts/uploadify.php
  • /wp-content/themes/fresh_trailers_v2/uploadify.php
  • /wp-content/themes/wp-eden/admin/uploadify/uploadify.php
  • /wp-content/themes/wp-eden/admin/uploadify/uploadify.php

Plus a lot more. Get the idea? If you have a plugin that has upoadify built in, you are at risk of being hacked. Uploadify is suffering a similar attack to the one we saw on Tim Thumb earlier. But was it is?

What is Uploadify?

Uploadify.php is a jQuery plugin that provides a way to upload files to a WordPress blog without having to use the Media Upload in the admin area. A “front end” uploader.

From their website:

HTML5 or Flash Multiple File Upload jQuery Plugin Script”

The plugin, or at least older versions, have a vulnerability that allows anyone to upload a file. This is what the hackers are sniffing out. The standard plan is to infect a site with Malware and / or add SEO links to the site template files.

Why Is Uploadify a Problem?

It is the classic old WordPress problem. Uploadify is used in other plugins and themes. People create a plugin or theme, incorporate Uploadify (kist like Tim Thumb is added to others) and then these get downloaded and used by WordPress web developers.

Unfortunately, the plugin and theme developers do not update them, but people still use them. If you use uploadify as a standalone plugin you would have received an update.

According to Uploadify.com:

“There were several major changes in version 3.0+ that helped make Uploadify more secure.  The most major of those changes was the removal of the folder option.  Exposing the upload folder on the client-side was a bad idea.  This time around, the upload folder is set in the uploadify.php file where it’s harder to discover.”

More advice on making Uploadify secure: http://www.uploadify.com/documentation/uploadify/making-uploadify-secure/

Your Solution

First, if you run a WordPress site, check for uploadify – you may have it installed as a part of a theme without realising. Check your plugins too.

Then, check for the date of the last release for your theme or plugin. Make sure everything is updated and if you have a plugin or theme which has not been updated in a long time disable it and seek a new solution.

If you are confident with modifying files and testing – get the latest version of Uploadify from WordPress.org or Uploadify.com and replace your current uploadify directory /file (whether in a theme or in a plugin) and see if your site still works.

If you really need it but cannot replace it, you can try renaming all mentions of uploadify.php in your plugins or theme to something else (random) as the hacking attempts are all automated and will only target known files.

Add Secure WordPress and one of the WordPress Firewalls too. Read Hardening WordPress on WordPress.org.

  1 comment for “Another Russian Invasion – WordPress Uploadify Targeted

  1. Ebrahim
    July 2, 2013 at 8:59 am

    Thank you so much for this information I now understand, I have been getting hit as per the above from Netherlands trying Uploadify over 100 times on my websites. I have used Wordfence to block the whole network. I will be on your blog always for more information in the future…..Thank you 🙂

    Ebrahim
    South Africa Capetown

Leave a Reply

Your email address will not be published. Required fields are marked *