The hosting company where one of my clients' sites is located turned one site off because of what they were telling my client was a WordPress vulnerability. Some further examination of the access logs turned up something weird.
Someone accessed /wp-content/gallery/library/thumbs/wp-thumb.php several times with arguments that showed they were executing various directory listings for wp-admin, wp-includes, and wp-content/plugins
Once they saw what plugins were installed, they started poking around in wp-dbmanager and somehow started accessing the file class.mail.php that suddenly appeared in that directory, and from there I don't know what they attempted to do, since the hosting company turned the site off a few hours later.
I'm still waiting to hear from them what behaviors they observed, but my first concern is with the wp-thumb.php script that was accessed from the thumbs directory of one of the galleries on that site. It looks like it might have somehow been added by the intruder, but I won't know for sure until I talk to someone at the hosting company about what they found.
I've looked on several other sites I have running NextGEN Gallery, and I don't see that script in any of the galleries (though the other ones I checked that are running on sites with that same hosting company are still running NGG v1.3.5 or 1.3.6), so I'm assuming that those sites are untouched as of now.
Another concern of mine is that while wp-dbmanager was installed, it wasn't an active plugin, and that has me wondering if there was a reason that it was specifically targeted.
Has anyone else seen this behavior on their sites? Is this an NGG exploit, or something related to wp-dbmanager? I know it's not a WordPress vulnerability as the host was claiming, but I'd like to know sooner rather than later if I need to either downgrade or upgrade my various sites running NextGEN Gallery.
NextGEN Gallery 1.4.3
WP-DBManager 2.50 (plugin not active)