Rank Math Pro - BEST WordPress SEO Tool v.3.0.60

[Dimitris]

91.240.118.111 -- The IP that you provided is pointing to Russia. Also, I believe you are from Russia too as you are using the Russian language.

Something is not right --- i can see that NinjaFirewall+ is also highlighting the theme files -- seems like the attacker is aware of the themes and plugins you are using on your site --- should have ran some online test. eg., wpthemedetector.com

I feel like the attacker is trying to directly access the plugin and theme files and the NinjaFirewall+ is blocking those requests.

You better test the file integrity of your site's plugins and theme by comparing them to its downloaded package to know your site is already compromised?

I am from Greece. The ip is pointing to Russian and Honk Kong, it depends from where do you look.
My site is in greek language and my ip is greek. Don't trust the tests because anyone can block the infos.
In the last picture you can see that when i blocked the ip then immediately look for the specific plugin because its his source to regain access but... Also this started from the day i installed this plugin. 2 on 2 its not coincidence but its fact at least for me.
The attacker when gain access to my site then installed a theme and various files across several positions thats why you see these.
Also you can see the plugin filebird pro which is from here also. And the flatsome theme is from here. But still i believe that the rankmath did this.

 

[Emre]

So, what?

Everyone contribute with "items" which has been purchased, then mods approval on here.
You can check my profile too, did not stole any items which I shared here, all of them purchased. But I shared with the people to use everyone else so you need to disconnect licence checker that called "nulling".

I don't understand why you are arguing with me? Everyone who comes to Babiato has different goals. I support. I am not downloading files.

Nothing dangerous about using the nulled version if the package is good and if the script's author has no secret method(s) to overwrite the codes.

Sometimes, nulled version is even better than the original version especially when the callbacks are removed.

Then keep using it.

 

[InvisibleRasta]

I am not udnerstanding well, so this plugin has a virus or not?

 

[Unreal_NFS]

I am from Greece. The ip is pointing to Russian and Honk Kong, it depends from where do you look.
My site is in greek language and my ip is greek. Don't trust the tests because anyone can block the infos.
In the last picture you can see that when i blocked the ip then immediately look for the specific plugin because its his source to regain access but... Also this started from the day i installed this plugin. 2 on 2 its not coincidence but its fact at least for me.
The attacker when gain access to my site then installed a theme and various files across several positions thats why you see these.
Also you can see the plugin filebird pro which is from here also. And the flatsome theme is from here. But still i believe that the rankmath did this.

Have you checked your present site's files to any backup you have?
Did you checked the "users" on the WP admin? Are there other admin user not created by you? If not how can anybody install other plugins/themes unless your admin account is compromised? Or just files uploaded only as your server is compromised?

Since you are sure about theme installation and file changes -- i believe the problem is not RankMath plugin but something else. You better move to another server if you can - that's what i would 1st thing as no others are facing the same problem.

 

[Dimitris]

Nothing dangerous about using the nulled version if the package is good and if the script's author has no secret method(s) to overwrite the codes.

Sometimes, nulled version is even better than the original version especially when the callbacks are removed.

You are absolutely Right about this... but there are some people in here that download the null file from somewhere else without knowing that the file has something bad and here start the problems.

I prefer to download the null file when someone who paid for this and wants to share with others and do the null without secret agents. Thats why im here but unfortunately there are some very rare cases...

 

[Dimitris]

Have you checked your present site's files to any backup you have?
Did you checked the "users" on the WP admin? Are there other admin user not created by you? If not how can anybody install other plugins/themes unless your admin account is compromised? Or just files uploaded only as your server is compromised?

Since you are sure about theme installation and file changes -- i believe the problem is not RankMath plugin but something else. You better move to another server if you can - that's what i would 1st thing as no others are facing the same problem.

I have on my server 5 sites. In all of them i have installed the filebird from here but the rankmath only on 3 sites. Guess... in three sites i had virus and attacks from the same ip and on the others 2 sites without the rankmath they have nothing.
So what exactly you would though in my position?

 

[InvisibleRasta]

i would think that your server is compormized and the attacker is attacking whichever site they fee like

 

[Unreal_NFS]

I check the users and there was which i deleted him but i dont care because i blacklist his ip and his country.
The point here is not the security of my server but the plugin that started all these.

You have to check the timeline of the incidents. When the alien username was created. When alien files appeared on your site. When NinjaFirewall+ stopped the attacker? etc.. then you could pin-point the starting point -- the security issue.

I have a feeling that hacker is working from inside of the server!
Is the NinjaFirewall+ running FULL WAF ?

 

[Unreal_NFS]

Also, to create a user, if you have database access is enough -- you don't need WP admin access.

 

[Unreal_NFS]

Sometimes even the Linux user can be compromised due to a DOS password cracking attack. If you had something like - CSF (CONFIGSERVER SECURITY AND FIREWALL), you can stop this. But, the majority of the WP users using VPS servers don't know it.

Are you on VPS? If it is a shared hosting, the problem can be wide.

 

[Dimitris]

You have to check the timeline of the incidents. When the alien username was created. When alien files appeared on your site. When NinjaFirewall+ stopped the attacker? etc.. then you could pin-point the starting point -- the security issue.

I have a feeling that hacker is working from inside of the server!
Is the NinjaFirewall+ running FULL WAF ?

The users have not panel of the server. Only wordpress access. Also the 3 users are neighbours who have no idea about these things.
The server is a mine custom pc on my office. I dont do reseller.
The ninja running full of course.
I didn't check all these because i just wanted to clean my server. But from what i saw and from my experience something was wrong with this rankmath. I saved some files to check again but the strange is that when i blocked him then he try to regain access through the rankmath and this is something that i saw in the ninjafirewall and i posted for you to see this.

 

[Unreal_NFS]

Is your server IP hidden behind a proxy like Cloudflare? If not, not using CSF is a scary thing!
Security begins with securing Linux admin user. So, go activate CSF.
After all, it doesn't slow down the site.

Also, CSF has IP ban feature too, and will give a log on who is trying to hack Linux admin and also auto-ban those abusive visitors.

Also, you must have secure-key for the user rather than password security and it is good if you have set passcode for secure-key. Search google for info if needed.

RankMath files, are they the same as the package from Babiato or are they modified? If the files are modified hacker is in the system.

 

[Dimitris]

Is your server IP hidden behind a proxy like Cloudflare? If not, not using CSF is a scary thing!
Security begins with securing Linux admin user. So, go activate CSF.
After all, it doesn't slow down the site.

Also, CSF has IP ban feature too, and will give a log on who is trying to hack Linux admin and also auto-ban those abusive visitors.

Also, you must have secure-key for the user rather than password security and it is good if you have set passcode for secure-key. Search google for info if needed.

RankMath files, are they the same as the package from Babiato or are they modified? If the files are modified hacker is in the system.

I truly truly truly appreciate that you want to help me secure my server. I will save your valuable words because for me is a treasure.
For the rankmath files, i cant understand what you mean. I didnt modify the files and i dont know if the hacker did that but he is not in my system because i blacklisted his ip and his country. I monitor the los and so far so good.
But my concern is that do i have to accept the fact that the nulled plugin from babiato can have hidden code? I know that i must secure my server as much as i can but the fact that the plugin possible have hidden code isn't important ? Maybe i am wrong about it but maybe im right. At least i saw that this plugin was protagonist in the attack.
I can understand that these things can happen and i believe that i must report it here. I wish im wrong because some people may not know how to escape from these situations.

 

[Unreal_NFS]

There are 3 parts mainly - server, the other being the nulled plugin, and the 3rd being the compromised plugin(modified by the hacker)!

I have covered 3 areas. Finding the entry point is what I was aiming for.

Since you were repeatedly saying it was the RankMath - so I asked you to compare yours(what was on your server) with babiato RankMath package. If they are NOT the same -- then babiato package should be good as yours was modified/injected with extra codes by the hacker.

If the package are same, then there is a concern about the babiato package --- but I doubt it as nobody else had the same problem.

Then everything turns to just one thing ===> how did the hacker knew about those files on your site -- if not, hacker wouldn't have tried to access those files directly and was stopped by the NinjaFirewall+ ? So, the hacker have known those plugins(thus the plugin files) using online theme/plugin detectors or was already inside the system!

I am trying not to overlook at RankMath but look at every other point too.

 

[Dimitris]

There are 3 parts mainly - server, the other being the nulled plugin, and the 3rd being the compromised plugin(modified by the hacker)!

I have covered 3 areas. Finding the entry point is what I was aiming for.

Since you were repeatedly saying it was the RankMath - so I asked you to compare yours(what was on your server) with babiato RankMath package. If they are NOT the same -- then babiato package should be good as yours was modified/injected with extra codes by the hacker.

If the package are same, then there is a concern about the package --- but I doubt it as nobody else had the same problem.

Then everything turns to just one thing ===> how did the hacker knew about those files on your site -- if not hacker wouldn't have tried to access those files directly and was stopped by the NinjaFirewall+ ? So, the hacker have known those files using online theme/plugin detectors or was already inside the system!

I am trying not to overlook at RankMath but look at every other point.

Yes again you are right. I did overlook the rankmath and i still do that. Maybe a mistake by me that everyone could fall into this, so i will try to explain my view.
Even if the files of the rankmath in my server are different from the babiato, there is the possibility that the original files were injected just to give him access into my system and when he gain access then remodified the files of rankmath and others files so even if i catch him, he will still able to re-enter to my system. Im saying that one line of bad code in the original file gave the access and then the hacker did party into my wordpress setup.

Why am i overlooking the rankmath?
1st the attacks began exactly the same day that i installed the plugin.
2nd only the sites with the plugin is installed happened the attacks and on the others sites don't have any attack.
3rd the logs from ninjafirewall+ saw to me some patterns from the attacks that give to me the impressions that it was the rankmath such as when i blocked his ip then the very First attempt was through this plugin.

After all of these are you truly really sure that the problem is something else?
And why ( in the same server, the same ip, the same plugins except the rankmath ) is he targeting specific sites? If he spy-track as you believe, then he could know easily the domains that i have through the internet tools (mxtoolbox). He could attack on domains with higher interest and not the empty sites like the microhost.gr.

You cant see the problematic plugin because your server is very secure and stop these attacks but the problematic plugin its still problematic and something should be done for this.

 

[ciro045]

Could someone upload untouched 3.0.57 so we could compare with nulled?

 

[Unreal_NFS]

I haven't stopped looking at RankMath or even any other plugin without any 2nd thought as anything could be the culprit. I have all ears to what you are saying --- but, as long as others don't get attacked especially because the attacker has already targeted your 3 sites...... I can't "conclude" the case by calling RankMath the culprit, but still doubt another entry point.

I trust your words, but I don't trust the hacker

P.S. Try setting up another totally different site using cloudflare and proxy it and have rankmath and ninjafirewall+ installed on it and no other plugin on the same server. Don't do it if you smell trouble.

 

[Dimitris]

Could someone upload untouched 3.0.57 so we could compare with nulled?

That exactly was my intention. Someone who knows how to do this, go compare untouched with nulled.

I haven't stopped looking at RankMath or even any other plugin without any 2nd thought as anything could be the culprit. I have all ears to what you are saying --- but, as long as others don't get attacked especially because the attacker has already targeted your 3 sites...... I can't "conclude" the case by calling RankMath the culprit, but still doubt another entry point.

I trust your words, but I don't trust the hacker

P.S. Try setting up another totally different site using cloudflare and proxy it and have rankmath and ninjafirewall+ installed on it and no other plugin on the same server. Don't do it if you smell trouble.

Inside the plugin there is this file with this code. Its a little weird for me.
The best for all of us and not only mine is to compare it with the untouched by someone who knows how to do this.

 

[Unreal_NFS]

.zip the RankMath free and Pro folders from your server and upload it here on the thread. Do mention --- that the package is corrupt.

 

[Dimitris]

.zip the RankMath free and Pro folders from your server and upload it here on the thread. Do mention --- that the package is corrupt.

Ok i will but im little afraid because someone maybe do the mistake.
I will mention it very much.
Give some time to put baby for sleep.