{"id":30,"date":"2013-06-11T15:58:39","date_gmt":"2013-06-11T15:58:39","guid":{"rendered":"https:\/\/beta.smarthost.eu\/blog\/?p=30"},"modified":"2019-02-28T21:54:24","modified_gmt":"2019-02-28T21:54:24","slug":"break-ins-on-the-server-through-the-leaky-openflashchart-script","status":"publish","type":"post","link":"https:\/\/www.smarthost.au\/blog\/break-ins-on-the-server-through-the-leaky-openflashchart-script","title":{"rendered":"Break-ins on the server through the leaky OpenFlashChart script"},"content":{"rendered":"

For several days we have been observing the increased traffic of scans of our servers by bots trying to break into hosting accounts.
\nAfter the last big scan on Sunday, June 9, 2013, the break-in was successful on several accounts of our clients. After the analysis, we discovered that the accounts had an OpenFlashChart library version 1.x installed, which has an error that allows remote uploading files to the server.
\n<\/span>The error is that when the files are uploaded through the script, the type of files is not checked, so instead of graphics (for which this script is used) executable files can be uploaded.
\nUploaded files that we analyzed scan the account for configuration files of popular services like Joomla, WordPress, etc.
\nAfter scanning the entire server for this “leaky” library, we detected that it’s installed on many accounts, of which the authors of the pages were not entirely aware – the library was just installed while installing other components.
\nAn example of the location of this “leaky” file installed as a Joomla component:<\/span><\/p>\n

public_html\/administrator\/components\/com_jinc\/classes\/graphics\/php-ofc-library\/ofc_upload_image.php
\n<\/span><\/p>\n

As part of the popular OpenX script:
\n<\/span><\/p>\n

public_html\/openx\/www\/admin\/plugins\/videoReport\/lib\/ofc2\/ofc_upload_image.php<\/p>\n

If the functionality is not used, the easiest solution to protect your website is to delete this file.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

For several days we have been observing the increased traffic of scans of our servers by bots trying to break into hosting accounts. After the last big scan on Sunday, June 9, 2013, the break-inContinue reading<\/a><\/p>\n","protected":false},"author":16,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[59,9,8,15],"tags":[60,67,47,65,66],"class_list":["post-30","post","type-post","status-publish","format-standard","hentry","category-break-in-analysis","category-joomla","category-security","category-security-leak","tag-break-in-analysis","tag-file-upload","tag-joomla-break-in","tag-opemx","tag-openflashchart"],"_links":{"self":[{"href":"https:\/\/www.smarthost.au\/blog\/wp-json\/wp\/v2\/posts\/30","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.smarthost.au\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.smarthost.au\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.smarthost.au\/blog\/wp-json\/wp\/v2\/users\/16"}],"replies":[{"embeddable":true,"href":"https:\/\/www.smarthost.au\/blog\/wp-json\/wp\/v2\/comments?post=30"}],"version-history":[{"count":2,"href":"https:\/\/www.smarthost.au\/blog\/wp-json\/wp\/v2\/posts\/30\/revisions"}],"predecessor-version":[{"id":100,"href":"https:\/\/www.smarthost.au\/blog\/wp-json\/wp\/v2\/posts\/30\/revisions\/100"}],"wp:attachment":[{"href":"https:\/\/www.smarthost.au\/blog\/wp-json\/wp\/v2\/media?parent=30"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.smarthost.au\/blog\/wp-json\/wp\/v2\/categories?post=30"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.smarthost.au\/blog\/wp-json\/wp\/v2\/tags?post=30"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}