NextGEN Gallery Hacked by Spammers

I have the same issues. It comes back after cleaned hacked php files. Php backdoors are written in the nextgen-gallery folder, and i suspect at this point it’s an hole in this plugin.
Still, i exclude the plugin package has been modified, since we are all probably downloading it from trusted sites.

Difficult to prove this btw. But very probable.
I’ll send you a pcap file where is visible the nextgen gallery php backdoor called by the hacker. Still wandering how those php files are written. I am considering this plugin not safe for now, sorry. Will find some other gallery for now.

@spectrum70 – This is an old topic and even though we have not seen any proof related to the details noted in this topic we have release several versions with security updates since it was started.

If you are still experiencing problems please feel free to start your own topic or send us a Bug Report as appropriate.

Thanks!

– Cais.

+1 Have some problem.
I have 15 sites on 1 account on my hosting.
And I have some problems with alien php files in different places on 3 sites of 15. On all 3 these sites installed a NGG by photocrati.
It seems to be something wrong. Sorry guys, but if few peoples speak about problems – it is necessary to consider.
I see no other solutions than to renounce the use of plug-in. Sorry

@smiler777 – Unfortunately we still have not received any proof or information related to this issue at hand … NextGEN Gallery is a very commonly found plugin but we are not aware of any security issue that would allow what is being described to happen.

– Cais.

Hello Web-Admins here,
to extinct the bad scripts it′s not sufficent at all to delete the plugin, where you found (one of) the script.
It′s known, that this kind of attacks spreading their code in the whole WordPress installation. Not only in seperate files, but as well in existing files of the core, themes and plugins and even in the database!
The intrance for the spammers might be a plugin, a theme, the core, but as well a bad passworded WordPress or FTP account.
So it makes absolutely no sense to accuse a specific plugin, if you have no evidence in the (original!) code of this plugin.
First of all you should clean your complete installation. Use plugins like the above mentioned “Anti-Malware and Brute-Force Security by ELI” or / and others like “AntiVirus” by Sergej Müller, “Exploit Scanner” by Donncha O Caoimh, …
Then protect your WordPress with plugins like “Limit Login Attempts” Johan Eenfeldt, “NinjaFirewall (WP edition)” by The Ninja Technologies Network (very much recommended!), “SF Author Url Control” by Grégory Viguier, “Snitch” by Sergej Müller, “SX User Name Security” by Daniel Roch, Julio Potier and SecuPress, …
And – last but not least – change your all passwords (WordPress, FTP, …) and never use your WordPress admin account to write posts.

@bhenselmann – Thanks for sharing a lot of great tips and ideas!

– Cais.