Support » Fixing WordPress » WordPress 4.7.1 “Hacked by NG689Skw”

  • Resolved A

    (@khurramar)


    Straight to the point. Just yesterday evening, my website had a successful hacking attempt in years. It seemed not to harm extensively and only had the latest blog post modified with “hacked by NG689Skw” in the title and in the content body.

    Yes it’s my mistake that I had not updated to 4.7.2 (due to whatever reason) but I’m not sure if only this update would have protected my website from this hack as I see a bundle of search results relating to that hack on various website attempted previously or recently. You can search on Google with the keyword “hacked by NG689Skw” or just “NG689Skw”. Some have fixed the pages but some are still there.

    Curiosity is that how could the attempt was limited to only editing a blog post title and the content. That too in only the most recent blog post? I also found this factor in many sites affected with the hack found in search results – that only the recent post was titled exactly I posted above.

    I then downloaded the database and searched for the keyword (in bulk backup queries). It was not found anywhere else. I just recovered the blog post from previous revisions.

    But the concern is that there still could be footprints or back doors remained which I am having difficulty to find. Tried tools like Exploit Scanner, Sucuri etc. but they didn’t seem to help right to the point as they result in many false positives.

    I thought to share the critical experience here with others as well as to find help or advice to seek presence of malicious code or content more effectively than these tools do.

    Also read my other concern which I am not sure could be related to this hack or not.
    https://wordpress.org/support/topic/wordpress-auto-updated-to-previous-version-as-4-0-13%e2%80%8f/

Viewing 10 replies - 16 through 25 (of 25 total)
  • One of my sites was also hacked. Only the first post (title and body) was hacked with new content. Hacked title said “HaCkeD By MuhmadEmad”.

    I deleted the post and reposted the overwritten post. About 6 hours later it reappeared, once again overwritting the first post.

    This same hack appeared in the last couple days across many sites worldwide (ZDnet, National Treasury Management Agency, Dutch, Belgian, and other European sites).
    If you google, “HaCkeD By MuhmadEmad”, you’ll find hundreds of pages that have been hacked. I don’t know if they are all WordPress sites.

    I was on 4.7.1 for both hacks. Currently on 4.7.2 and trying to figure out how the hack worked while I see if it reappears.

    Any insight would be greatly appreciated.

    I have seen this happen on two different WordPress sites now. I also can find no modified files or malicious code. Sucuri scan is clean, including a paid server side sucuri scan. I think this is either a user account password that was hacked or wordpress software update fix. Both sites were running 4.7.1 but not 4.7.2.

    I think you should change all of your user account passwords and update wordpress software and plugins. Run a sucuri scan and make sure wordpress security plugin is configured.

    This definitely looks like the culprit good find on this one thank you
    https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html

    The only WP sites I have seen this hack on are running 4.7.0 or 4.7.1. 4.7.2 resolves the vulnerability. Sounds like the hack was created by the release of 4.7

    I had the same problem but don’t use any of those plugins. I had these activated:

    Add Meta Tags
    Akismet
    Autoptimize
    Custom Content Width
    Enhanced Text Widget
    iThemes Security
    Jetpack
    Optimize Database after Deleting Revisions
    Responsive Lightbox
    Simply Static
    Tablepress
    TinyMCE Advanced
    Yoast SEO

    @su1 You were lucky you found a grey hat hacker. By the way, it’d help if you changed iThemes Security for Wordfence or a paid Sucuri version.

    @khurramar Executable files could be masked as images or something else. Install Wordfence and run a scan. It will check every file in every folder.

    WordPress did issue several direct (and a bit indirect) statements:
    https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
    https://codex.wordpress.org/Version_4.7.2#List_of_Files_Revised.
    https://make.wordpress.org/core/2017/02/01/disclosure-of-additional-security-fix-in-wordpress-4-7-2/

    @one4saken Look for the comment of damien_vancouver at https://make.wordpress.org/core/2017/02/01/disclosure-of-additional-security-fix-in-wordpress-4-7-2/

    @rchrisbishop If WordPress, plugins and themes were not updated to their latest versions, all these could be doors of entry. Delete any theme or plugin you don’t use and check if any of the remaining ones has been left without maintenance. If so, try to replace them. Also change iThemes Security for Wordfence or a paid Sucuri version.

    thanks idearius. Why should someone use Wordfence instead of iThemes?

    It seems with all the security plugins, there are a few options that I prefer not to implement.

    First thing you should do is install wordfence then turn on automatic wp updates.

    I added this to my wpconfig.php file
    define( ‘WP_AUTO_UPDATE_CORE’, minor );

    This will update the security minor updates straight away.

    I don’t want this happening again

    @rchrisbishop You’re welcome. This will answer your question: https://www.wordfence.com/blog/2016/12/wordpress-security-buyers-guide/

    Best.

    same problem happened here on on 4.7. a few hours ago.
    I confirm that no files were changed (compared with full files backup) and only the last post was “hacked” with previous revision still present.

    Crawling a bit through Apache logs, I see weird IP address from Linux doing this:
    POST //wp-json/wp/v2/posts/4929

    I noticed that an empty user name is listed in the “Current Revision by…” text.

    My plan of action: 1) updat to 4.7.2 (and hope for the best) and 2) restore previous revision of the post…

    Hope to hear from WordPress soon on the matter.

    Moderator Steve Stern

    (@sterndata)

    If you are not on 4.7.2 YOU ARE VULNERABLE. That’s all there is to it!

    Delete that post, update to 4.7.2 immediately.

Viewing 10 replies - 16 through 25 (of 25 total)
  • The topic ‘WordPress 4.7.1 “Hacked by NG689Skw”’ is closed to new replies.