WordPress.org

Ready to get started?Download WordPress

Forums

NextGEN Gallery
NextGen Gallery and Malware (11 posts)

  1. toonmstr1
    Member
    Posted 2 years ago #

    On 2 sites now, I've experienced a Malware issue coming from what I believe is malicious code within the NextGen Gallery Plugin (latest version).

    It inserts an iframe into all index.php pages and is coming from / redirecting to pokosa.com, a well known Malware site.

    I've quarantined both sites, cleaned up the code, and deleted the plugin. Everything is working well now, with no signs of Malware. I'd like to know:

    1. Has anyone else had issues with the NextGen plugin?
    2. Are there plans on getting a clean version of the plugin available? If so, when?

    It WAS a great plugin, and I'd love to use it again.

    Any help/advice would be greatly appreciated! Thanks!
    --toon

    http://wordpress.org/extend/plugins/nextgen-gallery/

  2. breslinv
    Member
    Posted 2 years ago #

    I have the exact same thing. Trying to fix it now. Don't have NextGen on my main sitebut may be on some older versions.

  3. toonmstr1
    Member
    Posted 2 years ago #

    After cleaning up the code, changing all passwords, and getting things back up and running, I wanted to start adding back in the latest versions of all of the plugins I use.

    The very first plugin that I added back in was NextGen Gallery. Immediately had Malware warnings again. I deleted the plugin and things went back to normal. No Malware warnings. My only guess is that somehow the plugin has been compromised.

    Hopefully someone can shed some light on the issue.

  4. designerken
    Member
    Posted 1 year ago #

    I am having the same issue and it is the only plug-in I have activated.

  5. designerken
    Member
    Posted 1 year ago #

    i have tried to add a blank index.php to the gallery folder as well as updated the .htaccess file to disable directory browsing. see this link http://www.livehacking.com/tag/nextgen-gallery/

    Would be nice if a NextGen rep would let us know what is going on with their plug-in

  6. photocrati
    Member
    Plugin Author

    Posted 1 year ago #

    Hi everyone,

    We just responded on another thread regarding malware issues. Please see our response here: http://wordpress.org/support/topic/plugin-nextgen-gallery-_transient_ngg_request-entry-in-wp_options?replies=15

    If you're getting malware notifications, that may be why, and if so, it not anything serious to worry about and we've proposed a short term solution there until the next update.

    Some of the issue descriptions above seem a bit different, so I'm also forwarding this to our team to confirm there's not another issue of some kind. I respond here again once our dev team has had a look.

    Thanks,
    Erick

  7. photocrati
    Member
    Plugin Author

    Posted 1 year ago #

    Hey all,

    Just wanted to follow up. We're wondering if there may be two issues going on here. The iframe issue clearly seems to be hack. But we also know some users are getting malware notifications because of some old code linking to a NextGEN donor site that has since been hacked (http://wordpress.org/support/topic/plugin-nextgen-gallery-_transient_ngg_request-entry-in-wp_options?replies=15).

    We want to confirm whether the malware notices described above are related to or are separate from your original iframe hacking issue.

    @toonmstr1 - can you try the solution we suggested in the thread above to see if that removes your malware notifications. If it does, it just means the malware notifications are related to hacked donor site in that thread, and don't represent a serious threat.

    @kcharity - can you confirm that you're seeing the same iframe issue as @toonmstr1 originally described, vs just seeing malware notifications? If you are seeing that issue, you'll probably want to do as @toonmstr1 did and delete your NextGEN Gallery plugin files to remove the hack.

    Unfortunately, even if you are seeing the same hack, there's no obvious reason to assume that hack used a vulnerability within NextGEN code. It's just as likely that the symptom could be found in the NextGEN code but the problem rooted elsewhere. We'd need to have some kind of more specific information that would help us pinpoint a genuine vulnerability in NextGEN.

    If @toonmstr1 removes his malware notifications by following the directions in the thread, that means that any malware notifications aren't related to a security vulnerability either.

    The one thing that would really suggest a problem is if @toonmstr1 goes through the solution in that thread, and still finds that malware notifications still appear only when NextGEN Gallery is activated.

    Thanks. If you have any other information that's useful for us, let us know.

    Erick

  8. toonmstr1
    Member
    Posted 1 year ago #

    I was able to remedy the issue when I first encountered it by installing an older version of the plugin. I believe its 1.9.2. I only encountered the Malware issue when I updated.
    Seems to have been issue free since.

  9. designerken
    Member
    Posted 1 year ago #

    Hi Erick.

    I was not getting an iframe. I was having a Javascript that was inserting a weblink to a page that was blacklisted. I only have 1 plug-in active and that was NGG. It seemed that every time my client uploaded images that it was trying to inject the code. I made a child theme with a couple functions and a template file as well as a CSS file. The only page that was getting injected with the CSS file. And easy fix. But could not figure it out when it would come back the next time images where uploaded.

    I did a fresh install of WP, went through the database and found that the code was injected into a Text widget. After that was cleared it seems to be ok. I still have not added back NGG though and was looking to use a different gallery plug-in. But have not found one nearly to my liking as NGG is.

  10. photocrati
    Member
    Plugin Author

    Posted 1 year ago #

    @toonmstr1: If you just experience a malware issue when updating, just be aware that it's probably not a real/serious malware issue. It's probably as I noted that there's a link to a former donor to NextGEN who's site was hacked and blacklisted. If that's the issue causing a malware notice, it doesn't represent a vulnerability and shouldn't be visible in any way to your front end visitors.

    Downgrading to 1.9.2 is fine a short term solution, but you can't stay there forever. Even as it is, by sticking with 1.9.2 you're missing a number of genuine security updates that were included in subsequent updates. So you'll want to update again at some point.

    @kcharity: Your issue definitely sounds like the issue with the donor list and donor's site that got hacked. If you want to keep NG installed as normal and fix the problem, just follow the fix in that other thread (http://wordpress.org/support/topic/plugin-nextgen-gallery-_transient_ngg_request-entry-in-wp_options?replies=15).

    Thanks!
    Erick

  11. michaelbyers681
    Member
    Posted 1 year ago #

    I am experiencing difficulty downloading NGG, and am getting the following message: Destination folder already exists. /hermes/bosweb/web247/b2474/ipg.cornerstonepdcom/wp-content/plugins/nextgen-gallery/

    What do I need to do to make this work?

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.