security - How is it possible for a person to upload files to a site they don't have credentials to?
2014-04
A little while ago I got this email:
hi there,
i am [name], security expert.
your website is not secured. you use a weak password. and you didnt install security to prevent hacking/malware attacks.
as proof, i upload a file: http://[site]/1337[name].html
dont worry. i didnt edit/change/delete anything of your wesbite. feel free to contact with me to fix security issue.
cheers
[name]
I checked and the file is there with the content:
hi, i upload this file to proof that your website is not secure. please check your email.
cheers
This reeks of scam and phishing (particularly the bad english), but I am spooked that this file I didn't create is up on my server.
For reference, I am using a GoDaddy shared hosting server with SSH enabled, and running a Wordpress site with a bunch of subdirectories which have various website personal projects I've worked on, a number using PHP for database (and old Facebook SDK) connections. The file appears to be created by my FTP user.
How is it possible that this person put a file up on my site? How can I patch this security hole? I have already changed my (S)FTP password.
Someone can change files on your server without having any of your passwords. Injection attacks like this are very popular.
Make sure your Wordpress and PHP installations are up to date.It is also possible that you have a vulnerability in a plugin or theme. Make sure they are up to date as well, and be sure to disable any plugins/themes you don't need.
I'm attempting to submit my iPhone app to iTunesConnect. The pictures loaded fine, and I picked "submit binary later" because iTunesConnect kept having the connection reset. I'm using Firefox to upload the binary. Is there any way I can see the % or data transferred of a specific file uploading, in real time? It would be great to see that the bits haven't moved in a while and manually reload the page instead of waiting for the connection to reset. Cheers
If you just want to see if bytes are still flowing, you could use tcpdump.
I don't know about firefox, but Opera provides a meter of total uploaded data, as well as transfer rate (I think it also has percentage, but it's been a while).