EDIT: I highly recommend to any user, to either remove this script until a fix can be made. The file that is being affected and used is /mygallerybrowser.php?. The creator (page translated from German to English) of the plugin updated today and said to upgrade to the latest version, or deactivate the plugin.
Earlier today I received an e-mail from “WaLhEZ” as follows:
Hi, i am visit you site, and see the problem with and I have seen that you have bug that even allows that somebody ill-disposed one can enter your host and provocate damage, obtaining pass of your FTP, dates baseÃ¢â‚¬Â¦ etc the problem this in plugin mygallery, specifically in the file mygallerybrowser.php. This it is an example of as they can enter your servant and daÃƒÂ±arte watches: wp-content/plugins/ mygallery/myfunctions /mygallerybrowser.php?myPath=(website)? And I communicate this to him, so that it fixes it, this bug I have discovered I to it, and I want to communicate it to it so that they are not going to him to damage his blog, that by the way this very pretty. I wait for its answerÃ¢â‚¬Â¦ And it pardons my English is not very good. Contacme and I see as I can help him.
Upon receiving his e-mail, I didn’t know whether it was hoax, as I knew I didn’t have MyGallery plugin activated, though I did have it under my /plugins/ directory. Though upon accessing it via the url he had included in his e-mail, I was able to go to the file under the directory, though with some PHP errors. I then went ahead and CHMODd the files so that they couldn’t be accessed, and then deleted it from my server since I’m not using it.
After deleting it I also went through my access logs and errors logs but didn’t see too much activity other then what matched his IP address and what matched my IP address in regards to the access URL and plugin directory. Though all day today I’ve had a lot of hits coming from google searches for “inurl:/mygallery/myfunctions” (and from various languages too like es, it, co.ma, and com.tr) without the quotes. I’ve also had quite a bit of hits from a hacking forum, Tryag.com/CC (the link is a direct link to the thread.) Unforutnately the only way to view what is on that forum is by registering and I believe it’s turned off. I didn’t run it through a translator, but I figured that’s what the message was saying.
I’m going to look more into this, but if you’re using this plugin, definitely keep an eye out. If you or someone else is using this plugin, feel free to link them to this entry. I’ll be updating it through the day(s) when I come across more information on the issue.