• You MUST read the Babiato Rules before making your first post otherwise you may get permanent warning points or a permanent Ban.

    Our resources on Babiato Forum are CLEAN and SAFE. So you can use them for development and testing purposes. If your are on Windows and have an antivirus that alerts you about a possible infection: Know it's a false positive because all scripts are double checked by our experts. We advise you to add Babiato to trusted sites/sources or disable your antivirus momentarily while downloading a resource. "Enjoy your presence on Babiato"

BUY GENUINE PLUGINS AND STOP F****** PIRATE NULLED COPIES!"

Status
Not open for further replies.
Viking4s

Viking4s

Active member
Banned User
Feb 7, 2021
187
34
28
Hi guys,

I only download from Babiato and from approved threads and trusted uploads but today I got my website hacked and this is what I got. see the screenshot yourself.

Please note that all plugins and themes were deleted from that website, not from the rest of the directory!!

Did anyone experience this please share and I can send a backup of the plugins and themes as well as the link to where I got them from here.

Looking forward to hearing back from you all

PS, I had Wordfence installed and I got 2 emails.

[Wordfence Alert] www.xxxxx.com Wordfence Deactivated

This email was sent from your website "xxxxxx" by the Wordfence plugin at Thursday 12th of January 2023 at 06:24:07 PM
The Wordfence administrative URL for this site is: xxxxx
A user with username "admin" deactivated Wordfence on your WordPress site.
User IP: 104.244.227.213
User hostname: 104.244.227.213
User location: Kingston, Jamaica

Screen Shot 2566-01-13 at 03.08.44.png
 
This looks more like a developer included a backdoor in his plugin/theme. It has nothing to do with nulling. You need to find which plugin from your list has the backdoor
 
  • Like
Reactions: 3xploit, onemore and librakhan
Viking4s said:
Hi guys,

I only download from Babiato and from approved threads and trusted uploads but today I got my website hacked and this is what I got. see the screenshot yourself.

Please note that all plugins and themes were deleted from that website, not from the rest of the directory!!

Did anyone experience this please share and I can send a backup of the plugins and themes as well as the link to where I got them from here.

Looking forward to hearing back from you all

PS, I had Wordfence installed and I got 2 emails.

[Wordfence Alert] www.xxxxx.com Wordfence Deactivated

This email was sent from your website "xxxxxx" by the Wordfence plugin at Thursday 12th of January 2023 at 06:24:07 PM
The Wordfence administrative URL for this site is: xxxxx
A user with the username "admin" deactivated Wordfence on your WordPress site.
User IP: 104.244.227.213
User hostname: 104.244.227.213
User location: Kingston, Jamaica

Screen Shot 2566-01-13 at 03.08.44.png
Click to expand...
Of course, you should not use nulled files for a working site.
The Question? What is the philosophy behind the nulled communities?
The answer: So the users can find what they are looking for and if their desired scripts or plugins have what it takes to elevate their website to a whole new level.
Some want to take the risk, but it's always advised to use the original files with a valid license.
Many developers plant backdoors in their plugins and scripts to f..k over the pirates.
 
  • Like
Reactions: Judge, Vinu_A, abahnull and 2 others
Hi guys, I really appreciate it as this is the first time this happened to me and it's freaking me out!

Here's a copy of all the plugins that I have at that time and I am using HUB theme.

Would appreciate it if you guys can tell me which plugin had the backdoor and how to delete backdoor so I won't have to face this problem again!

Also quick question, should I change the password of the cpanel and website now?

If a developer can do the backdoor and sell it on codecanyon or themeforst that means spying on others which is not good and an action needs to be taken, don't you guys agree?

Looking forward to hearing back from you all

Best Regards
 
Last edited by a moderator:
Sydney, New South Wales, Australia was blocked by firewall for Known malicious User-Agents at https://xxxxxx.com/ALFA_DATA/alfacgiapi/perl.alfa 1/12/2023 10:53:47 AM (22 hours 48 mins ago) IP: 20.92.225.14 Hostname: 20.92.225.14 Human/Bot: Bot Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36

Do you guys know something about ALFA_DATA/alfacgiapi/perl.alfa?
 
Viking4s said:
Sydney, New South Wales, Australia was blocked by firewall for Known malicious User-Agents at https://xxxxxx.com/ALFA_DATA/alfacgiapi/perl.alfa 1/12/2023 10:53:47 AM (22 hours 48 mins ago) IP: 20.92.225.14 Hostname: 20.92.225.14 Human/Bot: Bot Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36

Do you guys know something about ALFA_DATA/alfacgiapi/perl.alfa?
Click to expand...
That is a bot that scans WP sites for vulnerabilities.
 
Bingo! I figure out why I was hacked. It was vulnerability in LiteSpeed Cache plugin!

I have attached a picture of the hacker leaving a message on website that uses "LiteSpeed Cache".

In less than 10 hours 2 website were hacked and left with that message and maybe more.

Mine and ssuaych.org! How do I know? I did scan plugins for ssuaych.org and they are only using LiteSpeed Cache along with other plugins and what we have in common? Just one plugin and it's LiteSpeed Cache.

I have deactivated it and deleted it.

You can all check the following article:

www.briskinfosec.com

Word-press plugin lightspeed caches security flaws and how to exploit them | Briskinfosec

Stay ahead of potential security threats with our in-depth analysis of the security vulnerabilities in the popular Wordpress plugin, LightSpeed Cache. Learn how attackers may exploit these flaws and how to protect your website from potential hacking attempts.
www.briskinfosec.com

So it wasn't the plugin I downloaded from here it was the goddamn LiteSpeed Cache.

Any thoughts?
 
  • Like
Reactions: lekhanhky, Akera, onemore and 1 other person
Viking4s said:
Bingo! I figure out why I was hacked. It was vulnerability in LiteSpeed Cache plugin!

I have attached a picture of the hacker leaving a message on website that uses "LiteSpeed Cache".

In less than 10 hours 2 website were hacked and left with that message and maybe more.

Mine and ssuaych.org! How do I know? I did scan plugins for ssuaych.org and they are only using LiteSpeed Cache along with other plugins and what we have in common? Just one plugin and it's LiteSpeed Cache.

I have deactivated it and deleted it.

You can all check the following article:

www.briskinfosec.com

Word-press plugin lightspeed caches security flaws and how to exploit them | Briskinfosec

Stay ahead of potential security threats with our in-depth analysis of the security vulnerabilities in the popular Wordpress plugin, LightSpeed Cache. Learn how attackers may exploit these flaws and how to protect your website from potential hacking attempts.
www.briskinfosec.com

So it wasn't the plugin I downloaded from here it was the goddamn LiteSpeed Cache.

Any thoughts?
Click to expand...
Good job bro,, thanks for share,,

Not understand to internal server u,, sorry no help u..
 
Been running litespeed with cache plugin for years and never a problem.
are you not running any security plugin like wordfence?
 
Here's why this happened guys! from my hosting support team!
 

Attachments

  • Screen Shot 2566-01-14 at 01.52.10.png
    Screen Shot 2566-01-14 at 01.52.10.png
    64.5 KB · Views: 356
Viking4s said:
Hi guys,

I only download from Babiato and from approved threads and trusted uploads but today I got my website hacked and this is what I got. see the screenshot yourself.

Please note that all plugins and themes were deleted from that website, not from the rest of the directory!!

Did anyone experience this please share and I can send a backup of the plugins and themes as well as the link to where I got them from here.

Looking forward to hearing back from you all

PS, I had Wordfence installed and I got 2 emails.

[Wordfence Alert] www.xxxxx.com Wordfence Deactivated

This email was sent from your website "xxxxxx" by the Wordfence plugin at Thursday 12th of January 2023 at 06:24:07 PM
The Wordfence administrative URL for this site is: xxxxx
A user with username "admin" deactivated Wordfence on your WordPress site.
User IP: 104.244.227.213
User hostname: 104.244.227.213
User location: Kingston, Jamaica

Screen Shot 2566-01-13 at 03.08.44.png
Click to expand...
which plugin did you download?
 
Viking4s said:
Mine and ssuaych.org! How do I know? I did scan plugins for ssuaych.org and they are only using LiteSpeed Cache along with other plugins and what we have in common? Just one plugin and it's LiteSpeed Cache.
Click to expand...
Contact form7 and Google Site Kit plugins are also used by both.
 
  • Wow
Reactions: Dude
Status
Not open for further replies.

Similar threads

TheDevil
⚡Buy Genuine License of Avada & Divi In 💲8
Replies
5
Views
947
Closed Threads
Medw1311
Medw1311
K
eClassify - Classified Buy and Sell Marketplace Flutter App with Laravel Admin Panel
Replies
0
Views
133
Closed Threads
koraysnmz
K
funguy
Want to buy guest posts/backlinks from blogs
Replies
17
Views
774
Closed Threads
hynymyny
hynymyny
Krunsher94
I want a nulled version of a theme I'm planning to buy
Replies
0
Views
232
Closed Threads
Krunsher94
Krunsher94
omerzh
Tradexpro Exchange 1.8 complete Crypto Buy Sell and Trading platform, Crypto Exchange, Spot Trading
Replies
1
Views
4K
Closed Threads
DatDudeUpStairs
DatDudeUpStairs

Latest posts

Forum statistics

Threads
79,538
Messages
1,144,634
Members
249,839
Latest member
mattmski

Share this page

Share this page
Top Bottom
Back
AdBlock Detected

We get it, advertisements are annoying!

However in order to keep our huge array of resources free of charge we need to generate income from ads so to use the site you will need to turn off your adblocker.

If you'd like to have an ad free experience you can become a Babiato Lover by donating as little as $5 per month. Click on the Donate menu tab for more info.

I've Disabled AdBlock