Support » Fixing WordPress » WordPress 4.7.1 “Hacked by NG689Skw”

  • Resolved A

    (@khurramar)


    Straight to the point. Just yesterday evening, my website had a successful hacking attempt in years. It seemed not to harm extensively and only had the latest blog post modified with “hacked by NG689Skw” in the title and in the content body.

    Yes it’s my mistake that I had not updated to 4.7.2 (due to whatever reason) but I’m not sure if only this update would have protected my website from this hack as I see a bundle of search results relating to that hack on various website attempted previously or recently. You can search on Google with the keyword “hacked by NG689Skw” or just “NG689Skw”. Some have fixed the pages but some are still there.

    Curiosity is that how could the attempt was limited to only editing a blog post title and the content. That too in only the most recent blog post? I also found this factor in many sites affected with the hack found in search results – that only the recent post was titled exactly I posted above.

    I then downloaded the database and searched for the keyword (in bulk backup queries). It was not found anywhere else. I just recovered the blog post from previous revisions.

    But the concern is that there still could be footprints or back doors remained which I am having difficulty to find. Tried tools like Exploit Scanner, Sucuri etc. but they didn’t seem to help right to the point as they result in many false positives.

    I thought to share the critical experience here with others as well as to find help or advice to seek presence of malicious code or content more effectively than these tools do.

    Also read my other concern which I am not sure could be related to this hack or not.
    https://wordpress.org/support/topic/wordpress-auto-updated-to-previous-version-as-4-0-13%e2%80%8f/

Viewing 15 replies - 1 through 15 (of 25 total)
  • Moderator Steve Stern

    (@sterndata)

    Remain calm and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are two.

    A

    (@khurramar)

    Used the two you mentioned but their free tools do not seem to be giving results one should expect. For example the guide link you referred to also provide link to Sucuri for site cleaning after hack. That one when I use on the website and perform the “Clean Website” operation in Sucuri > Malware Scan, it takes a few seconds and doesn’t return anything but blank tabs with no information in it. No malware detection, Nor a clean site chit.

    Wordfence on the other hand doesn’t seem to work at all. “Start a Wordfence Scan” only shows a progress as starting when clicked. But within a few seconds (like 5 sec) it returns to the state “Start a Wordfence Scan”

    Moderator Steve Stern

    (@sterndata)

    Follow the instructions to replace *all* PHP files (basically, everything except wp-content/uploads).

    I agree with Steve in that you have to replace everything except your downloads.

    But be careful not to think that by uploading fresh versions of the files you will be done. New malicious files could still be there and untouched, so you should delete the contents of the folders first (with the exception of the wp-config.php file).

    Regarding your uploads, if possible, you could download the whole folder and scan it with your antivirus. It may not catch everything, but chances are high that it will detect malware if it is there.

    Finally, also check your database looking for unusual tables and entries.

    By the way, if you know how, check your .htaccess file, too, just in case.

    Oh, and remember to make a full backup before doing anything, and a new one when you finish.

    Best.

    I have the same issue.. but! I cannot find any changes compared to old backup (hacked title appeared day ago) so I compared all the data to “hacked” and found nothing. Also Sucuri scan found nothing. Is it just a friendly reminder from hackers?..

    Just got hacked with the same message too. I was using a wordpress security plugin but I was a few updates behind, so if someone could confirm this hack was due to a vulnerability in one of the last releases it would be nice…

    @plukash It is likely that you were hacked using that same vulnerability.

    What was “all the data” that you compared? If you used a Windows search, it may not have checked inside php files. The Sucuri scan usually scans frontend files only. If a hacker left a file that’s not linked publicly, it may not see it. Uninstall and try a Wordfence scan.

    @su1 What was the security plugin you were using? If it was Wordfence, update the WordPress core, plugins and themes, and then run a scan.

    Same thing happened to me. Installed plugins:

    Attachment Pages Redirect
    Comment Reply Notification
    Image Zoom
    Quote Comments
    SyntaxHighlighter Evolved
    Wordpress Download Monitor
    WordPress Popular Posts
    WP-Markdown
    WP-UserAgent

    Same thing happened to me.

    @idearius no it was ithemes security.

    I have updated my site and asked my hosting company to run an antivirus on my server. They didn’t find anything suspicious.

    By the way, inside the hacked post was the message “Hacked By Not Matter who am i ~ i am white Hat Hacker please update your wordpress” so updating might solve the problem.

    • This reply was modified 10 months, 1 week ago by  su1.

    I have verified, no files were modified, and there were no database changes apart from the new text of the most recent blog post.

    I am aware of this same issue on 2 sites.
    Has WordPress got a major new vulnerability?
    This should be of great concern to all and I hope we get an explanation soon.

    Same issue to me. No files involved…
    any suggestion of how to fix after update?

    A

    (@khurramar)

    WordPress 4.7.2 was patched at some rest-api vulnerability and some other stuff according to change log. I usually checkout the change log every time whenever an update is available. This was the first time I didn’t check that and only imagined the 0.1 version difference to be a slight upgrade. But I was wrong. After getting hacked, first thing I checked was the change log of 4.7.2 and it indeed listed the vulnerabilities which were present till 4.7.1.

    @idearius I indeed followed most of the things including database search by dumping the backup in SQL form and searching the keyword manually in text editors. It was clean but I still have reservations as it could have injected scripts which I am not yet sure how should I identify those.

    I always delete old and upload new files to update WordPress. But can’t do that on plugins but this time specifically I had to do it. Writing down the plugins I have, removing them all completely from the plugins folder and downloading again.

    Remaining part is the wp-content/upload. That’s the hardest part to verify. Still figuring out what should I do with that.

    I really think WordPress should release a broad statement as at what extent these vulnerabilities would have harmed. So it will be a satisfaction for people like us.

Viewing 15 replies - 1 through 15 (of 25 total)
  • The topic ‘WordPress 4.7.1 “Hacked by NG689Skw”’ is closed to new replies.