NextGEN Gallery Hacked by Spammers

@inndesign – This is a very serious issue you are bringing to our attention but we do not have a file in the core plugin that exists based on your reference:

The current script was found at /home/account/public_html/wp-content/plugins/nextgen-gallery/products/inc.php it was being posted to send mail: [13/Oct/2014:08:24:14 -0500] “POST /wp-content/plugins/nextgen-gallery/products/inc.php HTTP/1.1” 200 65 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)”

Please review this, I would recommend deleting all of the contents of the /nextgen-gallery/ folder and manually uploading their replacements with a freshly downloaded copy from the WordPress Plugin repository. Technically this is almost identical to the update process used by core so you should not see any issues with NextGEN Gallery’s functionality due to this process but it will eliminate the existence of the referenced file above.

Please advise how this works out for you.

Thanks!

– Cais.

Thanks very much! Yes, while you are indeed correct, that inc.php was not a good example, where a number of alien PHP files were in fact dropped, the server support staff were able to determine from the logs that the breach occurred in the /nextgen-gallery/ directory, despite all updates being in place at the time. Yes, it is serious and something people must be mindful of. As my developers remind me, plugins are a constant source of exploits, and we know that historically NextGEN Gallery has been an unwilling participant. Did not mean to accuse, but did want to escalate awareness about the conclusion of our recent breach.

We did in fact immediately replace all plugins and the WP install as a normal protocol to such a exploit, along with new credentials. This hopefully is common sense among users faced with this issue.

@inndesign – Thanks for the update. IF there is anything specific in our code (or anything else related directly to our plugin) that has been identified we would greatly appreciate if that information could be sent to us directly via our Contact form (https://www.nextgen-gallery.com/contact) or feel free to email myself (cais -at- photocrati -dot- com) and I will ensure it gets to our developers immediately.

Thanks, again!

– Cais.

Back again, because it happened again, for the third time. From a third install of WordPress 4.0, the same theme that we use on multiple site, and the sample plugins, only the site hacked, NextGEN Gallery is resident. The technicians leave little doubt that a Chinese hacker/spammer has found an exploit in the current version of NextGEN. It is so utterly stealth, unless a user receives a bounce from an outbound email that reports user has exceeded the outbound limit, they would not know that their site is being used as a spam machine.

There are no SMTP logons from that account within the mail logs. Review of the SSH, FTP and cPanel logs and no malicious activity or unexpected IP access.

By running the command (grep "cwd=/home/" /var/log/exim_mainlog |awk '{print $3}' | cut -d'=' -f2 |sort |uniq -c | sort -n) the support and forensic engineers identified the following directory as the location of the malware: 38035 /home/account/public_html/wp-content/plugins/nextgen-gallery/products Php.Trojan.Spambot-1 FOUND The engineers replied “To us, that’s highly indicative that something is wrong with Nextgen Gallery.”

I am not stating any facts, but merely reporting what we are enduring. The only WordPress website out of 25, the one with NextGEN Gallery keeps getting hacked for spamming from the NextGEN Gallery directory. There are no brute force or password breaches by normal means. I don’t have an answer nor do the technicians, but after three clean installs, and repeat exploits, we are going to have to dump NextGEN Gallery.

Thanks!

@inndesign – This is still very much a concern for us to review but from what I am seeing the latest details you are providing are still pointing essentially to the exact same place as your OP.

As it is, please send us a Bug Report (https://www.nextgen-gallery.com/report-bug/) for this specific site and we will have a look at it as soon as we can. We will need log in and FTP credentials (and possibly access directly to your database) to get a closer look at what might be happening, please include those with your Bug Report.

Thanks!

– Cais.

the server support staff were able to determine from the logs that the breach occurred in the /nextgen-gallery/ directory

Could you please let us know what files were determined to be responsible for the breach?

I am sorry. We uninstalled the plugin as mentioned above, and deleted everything related. It has become a security risk and exploit point. It has become too costly and time consuming to continue with this plugin. Thanks.

@inndesign: just wanted to add two thoughts.

1) I have the sense you know your stuff enough to know this, but the fact that a malicious file was found within the nextgen-gallery folder doesn’t indicate that’s where the hack took place. It could be anywhere. You can hack a site through some other theme/plugin/WP core files, and then upload a malicious file anywhere on the instance. I only mention this because it sounded like your engineers were saying that because there was a malicious file in the nextgen-gallery folder, that indicates that’s where the hack took place.

2) If you or those you are working with do actually have some concrete data or analysis that shows the hack originated originally via NGG files, yes, absolutely send us the details.
– FYI – @benjamin asked about which files….this is also probably obvious, but if you do have that kind of info, definitely pass it along via email or contact form to us directly rather than posting here in an open forum.

Thanks!

I am having the exact same problem, same plug-in

spammers are adding admin accounts to my wordpress and placing php files all over my site that spam email.

i have updated to the latest and removed every file i can find, and this morning they were back in the admin console.

please fix this problem.

if there are any logs i can send you, let me know

[email protected]

@paulmfield – Thanks for your report. As noted for the original poster, we’d need to see some evidence of a possible exploit or security vulnerability in NextGEN Gallery. If you have that, please send us the details in a bug report https://www.nextgen-gallery.com/report-bug/ and we’ll be on it quickly.

But to emphasize the same point we made to the original poster: the fact that you have NextGEN Gallery on a website and that website was hacked, doesn’t at all indicate that NextGEN was the source for the attack.

That is the case even if you found malicious files within the NextGEN folder, since once your site is hacked, the hacker may put malicious files in any location.

We do track any security reports very closely, and again if you can provide any evidence that NextGEN actually has a specific vulnerability, we’d react very quickly. But as it stands, there is no indication of a vulnerability in NextGEN that we know of. Usually if there is, we quickly find out about it from multiple sources just because NextGEN is active on so many websites.

Thanks! (Erick)

I manage a website security business. If you wish I’m available to provide a free confidential consult on the situation–so we may get to the bottom of this issue. My signature includes my contact information.

(reason: I would like to know as well, since quite a few of my own customers use this quite useful gallery plugin)

Paulmfield, simply install the plugin “Anti-Malware and Brute-Force Security by ELI” and it will root out all malicious PHP files, those added and those manipulated. It will even purge embedded code from valid PHP file. One of our websites is back to using NextGEN without further complications, but we do keep a brute force measure in place, with the same plugin. Even if there remains some type of vulnerability in NextGEN, “Anti-Malware and Brute-Force Security by ELI” solved all our problems completely. Good luck!

@inndesign – Thanks for your follow-up and general recommendation for protecting your site.

ALL – Please, once again, if you have any proof positive that the current NextGEN Gallery is causing a security issue on your site please report it as soon as possible via one of the following links:

– https://nextgen-gallery.com/report-bug/
– https://nextgen-gallery.com/support/
– https://nextgen-gallery.com/contact/

We take security issues very seriously and will address all issues presented to us. Please also take into consideration these are public forums and use one of the links above to report any security related concerns.

Thanks!

– Cais.

please give me an email address that i can send my logs to… i opened a ticket on the site…

i have over 50 wordpress sites on my server, and this is the only one with NEXTGEN, and the only one that has been hacked.

And the logs show accessed to files in that folder before the hacked admin accounts show up in wordpress, so one of the files in there is being exploited.

Here are some of the files they accessed as they were getting admin rights in our wordpress site:

195.182.142.73 [03/Mar/2015:07:24:22 +0000] POST /wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/ngglegacy/lib/media-rss.php HTTP/1.1 200 238 –
195.182.142.73 [03/Mar/2015:07:24:22 +0000] POST /wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/router/interface.router.php HTTP/1.1 404 5013 –
195.182.142.73 [03/Mar/2015:07:24:23 +0000] POST /wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/mediarss/class.mediarss_controller.php HTTP/1.1 404 5013 –
195.182.142.73 [03/Mar/2015:07:24:24 +0000] POST /wp-content/gallery/error.php HTTP/1.1 404 5013 –
195.182.142.73 [03/Mar/2015:14:41:59 +0000] POST /wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_basic_album/adapter.nextgen_basic_album_forms.php HTTP/1.1 404 5013 –
195.182.142.73 [03/Mar/2015:14:42:02 +0000] POST /wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/ngglegacy/view/imagebrowser-exif.php HTTP/1.1 200 262 –
195.182.142.73 [03/Mar/2015:14:42:03 +0000] POST /wp-content/themes/twentytwelve/single.php HTTP/1.1 404 5013 –
195.182.142.73 [03/Mar/2015:14:42:04 +0000] POST /wp-content/gallery/nashville-january-2011/dynamic/dir.php HTTP/1.1 404 5013 –
195.182.142.73 [03/Mar/2015:15:44:20 +0000] POST /wp-content/gallery/second-fiddle/dynamic/page.php HTTP/1.1 404 5013 –
195.182.142.73 [03/Mar/2015:15:44:21 +0000] POST /wp-content/themes/twentythirteen/fonts/view.php HTTP/1.1 404 5013 –
195.182.142.73 [03/Mar/2015:15:44:23 +0000] POST /wp-content/uploads/2014/07/alias.php HTTP/1.1 200 291 –

The 404 errors are probably files I found that had been used before and I have cleaned up, but they still managed to get in again.

I can send entire logs sorted by IP address if needed.

@paulmfield – If you could find in your logs where the post to wp-login was successful from one of these “unknown” IP addresses you could then look at the requests right before it as possibly being the “giveaway” … otherwise the log files you sent to use really do not point to much more we can suggest as there are relatively few instances of NextGEN Gallery files (as compared to other plugins noted) and those do not offer any vector we are aware of.

Thanks again for reporting this but we are not seeing any issue directly related to NextGEN Gallery at this time … and, again, please use one of our private contact points to report any potential security risks in NextGEN Gallery. If you see this in other plugins we also strongly recommend you afford them the same courtesy of reporting the issue privately.

– Cais.