For those who don’t know, Z-Up is a free public file uploader I launched in mid-2008. It’s been redesigned several times throughout the years, but the idea’s remained the same. Upload a file, get a link, done. It never really got much traction amongst the public, being used mostly for uploading dicks and stick figures to forums. However, it has proved to be a useful tool for my own purposes, my own little cloud, if you will.
I use it a lot for sharing ideas with bandmates, or design mockups with clients. For that, it’s a perfect little tool. I’m also pretty glad that it never got super popular, because at the time I was making it, I knew very little about the costs of running a big website.
Recently, Z-Up’s been hacked numerous times by some foreign script kiddies. At first, they simply placed popups, which I promptly removed. The latest breach completely took down the homepage and deleted all of the uploads. I apologize for the inconveniences this may have caused for those who relied on Z-Up to host stuff, but it was mostly out of my control. I was planning on cleaning out the uploads folder anyway, these guys just did it in a much more crude manner.
*Update:* I’ve fixed the security hole, Z-Up’s back up and running. The hack was a basic extension exploit, whereby the “hacker” uploaded an exploit script with a name such as image.php.png. It would bypass the uploader’s extension checker, and then the “hacker” would be able to use the script from a browser. In this case, it was a server file browser script, so they had pretty much full reign over the server. After deleting every last one of these files (this guy tucked them into every corner of the server), I secured the uploads directory by disallowing scripts to run, using an .htaccess. I used the word hacker in quotes because this was a freely available exploit script, which means this “hacker” is nothing more than a script kiddie. On the positive side, Z-Up’s more secure now, and I did a bit of cleaning on my server, removing old (and potentially vulnerable) installs of Movable Type, Expression Engine, and Chyrp.
I’m still debating on whether to password-protect Z-Up, because I really don’t need people uploading stupid internet memes to it all the time.