Support » Plugin: Wordfence Security - Firewall & Malware Scan » Hackers able to update posts anonymously with Wordfence activated and configured

  • One of my sites has been hacked over the weekend with a couple of different results:
    – posts replaced: a couple of posts were updated with title and content showing “Hack by {a name}” and another with more content mentioning kurdish hackers with content relating to peshmerga and isis.
    – posts updated: a couple of posts had a number of links inserted into them at various points through the content

    The timing showing in the data does not match up with any administrator logins and the post_author field has the value 0 (zero) suggesting these updates were done without a valid login.

    There is also nothing in the server logs which match up with the timing of these updates.

    I have Wordfence installed and activated on the site but they have still got through.

    My biggest concern is how did they get in. As far as I can tell, Wordfence is blocking anonymous access to the REST API and it doesn’t look like the attacker had gone through the admin area.

    The remaining option I can see is XML-RPC. How can this be used to updated items anonymously?

    Any ideas of how I can mitigate against these would be greatly appreciated.

    Site is running in IIS7 with PHP5.4.14. There is no outside access available to the database.

Viewing 6 replies - 1 through 6 (of 6 total)
  • Hi,

    We had the same problem yesterday. Install very quickly the update of WordPress 4.7.2. It contains a fix. The problem come from the Rest API.

    Good luck,

    Matthieu

    4.7.2 update was an auto-update, so the OP most likely has the latest version, unless he specifically rolled it back which I seriously doubt.

    XML-RPC is a favorite of hackers, see if you can do without it.
    Update to the latest WordPress version.

    Atomix

    (@atomixdesign)

    A couple of things to check:

    • Are you running Wordfence Premium? If not, the firewall rules may be out of date (unless you’re definitely running the latest Wordfence plugin).
    • Check the Firewall page and scroll to the end of the list of rules. Does it include the latest 4.7.X rules (auth-bypass)? If not, Wordfence doesn’t have the information it needs to protect your site from these attacks.
    • Also, is the Firewall definitely active? (Does it say “Protecting” or is it still in “Learning Mode”?). We had an issue where the firewall reverted to Learning Mode after the wp-content/wflogs/ directory was accidentally deleted during a deployment.
    • Which version of WordPress are you running? Was it below 4.7.2 at the time of the attack?
    • Could it be one of your plugins? Have you tried searching for them on wpvulndb.com to see if any have known vulnerabilities?
    • This reply was modified 2 years, 11 months ago by Atomix.

    My previous post is still hold by forum mods,
    as I found the solution (more like”explanation”) I’d like to share it with community.
    The problem is “CONTENT INJECTION VULNERABILITY” caused by poor implementation of REST API in previous versions of WP (now in 4.7.2 finally solved)
    Best examples:
    1- https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
    Post from Sucuri blog (31st January), maybe first that defines precisely the problem
    2- https://www.exploit-db.com/exploits/41224/ – post with code in Ruby executing mentioned “hack”
    3- http://www.securitylab.ru/blog/company/revisium/339265.php – Russian post, with same problem that @descomputers and myself had, with even more detailed explanation.

    In short, attack was direct to Database (without logging to WP dashboard), hits only the last post ID, changing only the post tile, date and content
    I’ve searched my server access logs and found 2 rows:
    IP–[date] “GET /index.php/wp-json/wp/v2/posts/ HTTP/1.1” 200 …etc
    This stole the ID of my last post
    IP–[date] “POST/index.php/wp-json/wp/v2/posts/(post ID) HTTP/1.1” 200 …etc
    This executes above mentioned changes in post with given ID.
    Normally, time stamps from logs (second row) and post_date in my table are the same

    That’s it, I cannot guarantee that some of “bad guys” has not added some more tricks to this basic but all who updated to WP 4.7.2 are safe.
    Those who had problems (first update WP to 4.7.2) should scan for anything strange besides database (it is safe, just delete affected post)
    @atomixdesign mentioned correct Wordfence firewall rules (auth-bypass), they should be activated (both) but after update, now with WP 4.7.2 it is not so important (contacted WF as premium user and they confirmed it)

    Hope this helps

    Hi @descomputers and everyone!
    I just want to confirm what @mike-orange mentioned regarding REST API vulnerability in WordPress version 4.7.0 & 4.7.1, two things you need to do now in case you haven’t done this yet:
    – Update WordPress to the latest version 4.7.2
    – Restore your posts from earlier revisions.

    For more details about this vulnerability, we posted a blog post about it yesterday, followed by a new one published recently.

    Thanks.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Hackers able to update posts anonymously with Wordfence activated and configured’ is closed to new replies.