Hackers changing permissions without using admin accounts, and rewriting

Remain calm and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

I’m sorry to hear your site is being attacked. Let’s hope that the plugin you suspect was the only point of access. This comment is likely very obvious to you but you have to remove all the malware before any security measures are going to be effective.

I just use Wordfence and on sites where I am the only one logging in, I also use Stealth Login Page. The name may be misleading. It simply adds an additional login authorization code. I only use it because it adds one more variable to the login process. I do a front facing virus scan everyday and a server side virus scan every week. They run on schedule without fail.

My sites receive a fair amount of hacking effort. Seldom a day goes by without at least one site causing a page of emails from Wordfence.

The really hard part is making sure you found all the malware after a hack. Unless you do a full restore from a known good backup, there is always a possibility of a reinfection.

And yes, I have been hacked. I once left an outdated forum hanging around. Access was through this old script. And once via FTP.

Good luck!

@ningishzidda – We take security very seriously with NextGEN Gallery as well as any other Photocrati product. If you have error logs that specifically prove NextGEN Gallery is creating a vulnerability we want to see them as soon as possible.

Simply send us a Bug Report at https://nextgen-gallery.com/report-bug and we will get back to you as soon as we can. We will want to see the error logs as well, please note you are able to provide them in your Bug Report.

Thanks!

– Cais.

maybe you should use a reverse proxy like cloudflare and block the IP address

That’s nice to hear photocrati, your plugin is very valuable to me and I will reinstall it when I stableize.

You can take a look at a partial error log leftover from earlier i have. Remember that this is not ONE person doing this. I watched the live feed and this was basically a team of people who targeted our site specifically over some grievance, using many different exploits. This just happens to be the most annoying, although not the most damaging portion of the attack. This is the tail end of what has been a really interesting Post-Superbowl weekend I do not know anything about the earlier attacks as I have not had a breathe to take a look.

But first I’ll tell you what was occuring while the errors were happening, and I can give you access to the full logs if you like, but I’d have to find them first as I am an amateur.

First the site would get broken into, permissions changed, adverts go up.

I take them down, change the permissions.

The error log THEN reports this:

[removed]

After this string, the process repeats itself. The permissions are changed, the popups go back up.

I delete the Yillix and Bidsweeper code out of sidebar and footer, and change the permissions back.

Repeat about 10-20 minutes later. (by the way my admin name is not really admin, do not worry)

Now where am I at now?

I switched themes to 2015, as it is the safest theme you can get. I deleted Gamepress, because it did not update with the latest upgrade. Our leader is really attached to the theme but it has java built into it for some damned reason. The exploits appeared to be targetting NextGen gallery java and the Gamepress theme java.

My ex-husband who was in IT used to say, “It’s always [removed] java!” Before screaming. He became a cop after ten years in IT and Security because he was so sick of this stuff. Don’t know how true that is but it does appear to be some java exploit they are using.

I have no idea what it is. My webhost got back to me and offered to harden the site for $45 which was nice, so I took the offer and I am going to see what they do. I hardened WHM as best I could and scanned my computer again but nothing dangerous was found.

SO far it’s holding, the 2015 theme has been up for an hour. I am stripped down to very few plugins right now.

Here’s the code they were inserting in sidebar:

[removed]

@ningishzidda, photocrati asked for the security issue to be reported privately via https://nextgen-gallery.com/report-bug so I have removed the log details and code.

If this is actually a security issue with the plugin, there is absolutely no reason to publicly tell the rest of the world how to exploit it.

From what I saw, it definitely sounds like you have a backdoor exploit somewhere, but what you included in the logs is just your server security reporting a concern with the plugin, not really indicative of an exploit. To be honest, you can see similar “has been disabled for security reasons” in the error logs of any setup, there’s always something somewhere a hosting provider won’t allow, and a well-coded plugin will just fallback to another method.

Another clarification, I know your husband means well, but its not always Java. Many of the plugin exploits recently have been PHP. There is nothing in the error logs or the code you posted that would suggest a Java exploit. It still could be Java, but just an important point that we should never put on blinders when pursuing a security concern. ??

With all that said though, I’ll leave this photocrati and the rest of the NGG crew for final judgement when you contact them privately.

As for your site now, I recommend carefully following this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

[Expletive] xst let me just log into the cp and haX0r infested darknet, WHERE I CAN ACTUALLY TALK ABOUT WORDPRESS AND THINGS RELATING TO WORDPRESS.

I’m not sure what the outburst is about, we’re all just volunteers trying to help you out.

If you go to any software circle, they’ll ask you to not disclose security vulnerability details publicly, it endangers everyone using the software.

Support for NGG has asked you to contact them privately, so please respect their wishes.