Break-ins on the server through the leaky OpenFlashChart script

For several days we have been observing the increased traffic of scans of our servers by bots trying to break into hosting accounts.
After the last big scan on Sunday, June 9, 2013, the break-in was successful on several accounts of our clients. After the analysis, we discovered that the accounts had an OpenFlashChart library version 1.x installed, which has an error that allows remote uploading files to the server.
The error is that when the files are uploaded through the script, the type of files is not checked, so instead of graphics (for which this script is used) executable files can be uploaded.
Uploaded files that we analyzed scan the account for configuration files of popular services like Joomla, WordPress, etc.
After scanning the entire server for this “leaky” library, we detected that it’s installed on many accounts, of which the authors of the pages were not entirely aware – the library was just installed while installing other components.
An example of the location of this “leaky” file installed as a Joomla component:

public_html/administrator/components/com_jinc/classes/graphics/php-ofc-library/ofc_upload_image.php

As part of the popular OpenX script:

public_html/openx/www/admin/plugins/videoReport/lib/ofc2/ofc_upload_image.php

If the functionality is not used, the easiest solution to protect your website is to delete this file.

Leave a Reply