U build website over the host server LIVE? Perhaps u might wanna change the way u build website now over a localhost server. I use laragon to make everything simple, with a single click i can create wordpress website instantly.
-
You MUST read the Babiato Rules before making your first post otherwise you may get permanent warning points or a permanent Ban.
Our resources on Babiato Forum are CLEAN and SAFE. So you can use them for development and testing purposes. If your are on Windows and have an antivirus that alerts you about a possible infection: Know it's a false positive because all scripts are double checked by our experts. We advise you to add Babiato to trusted sites/sources or disable your antivirus momentarily while downloading a resource. "Enjoy your presence on Babiato"
BUY GENUINE PLUGINS AND STOP F****** PIRATE NULLED COPIES!"
- Thread starter Viking4s
- Start date
- Status
They said "To our regret, our Shared Hosting packages don't have such a function. CloudLinux OS can be installed only on our Dedicated server packages."
is there a confirmation of what plugin was with the backdoor?
i will not download a zip file with 127mb of plugins from a randomer
you probably downloaded some "nulled" theme this guys do this on themes mostly, and they hide their server with some basic base64 strings related or filechanges check dates before you touch anything on your file system, if you find anything with this profile post the file in some pastebin and tell us the link.
they probably stole your credentials and your website name and they sent it to their server, i used to play with this guys by filling their servers with fake data
i will not download a zip file with 127mb of plugins from a randomer
you probably downloaded some "nulled" theme this guys do this on themes mostly, and they hide their server with some basic base64 strings related or filechanges check dates before you touch anything on your file system, if you find anything with this profile post the file in some pastebin and tell us the link.
they probably stole your credentials and your website name and they sent it to their server, i used to play with this guys by filling their servers with fake data
Last edited:
I download only from here and from trusted uploader or @Babak
Almost all shared hosting providers use Cloudlinux. Probably you should get away from Namecheap and host your site somewhere else
Try scanning all your plugins and themes using GOTMLS anti-malware plugin. See if it can find any malware in your hacked plugins/themes.
Anti-Malware Security and Brute-Force Firewall
This Anti-Malware scanner searches for Malware, Viruses, and other security threats and vulnerabilities on your server and it helps you fix them.
That's the result I got bro!Try scanning all your plugins and themes using GOTMLS anti-malware plugin. See if it can find any malware in your hacked plugins/themes.
Anti-Malware Security and Brute-Force Firewall
This Anti-Malware scanner searches for Malware, Viruses, and other security threats and vulnerabilities on your server and it helps you fix them.wordpress.org
Attachments
Yeah, but what plugins exactly? Type the names so we can stay away if any is known to be backdoored.
Let's be little clear over your issue. I have read all the comments.
1. When someone entered into your website with admin details then possibilities can be unlimited. If you are using VPS check your firewall logs. If you don't know how to then ask your hosting provider. For Managed server's they will have access.
2. Can plugins have backdoor access ?
Absolutely. Doesn't matter if it is nulled or original. This is internet and every second someone will try to find a new way to get details.
3. It is not a bot/crawler in your scenario i believe so. Even if you assume it is bot that cracked your admin details via what ever method. Then simply your firewall settings are weak and you need to learn to how to handle like strong password or setting up custom login page or blocking xmlrpc which are basic.
4. I have been using nulled plugins for quite sometime infact I test them on live server's. If i uninstall them then i will make sure leaving no traces of plugin behind form tables.
5. And firewall plugins always gives you a list of risks no matter you if it is original or nulled. So ignore them.
6. Most importantly when you are using nulled plugins then you should consider backing up your data on priority. Make sure to use some auto backup plugins like updraft.
7. Every plugin is vulnerable so is litespeed.
8. Unless you give logs of your server. No one can help you in specific.
9. If you are using Cloudflare. Then check firewall from security tab to see if you can find any clue.
1. When someone entered into your website with admin details then possibilities can be unlimited. If you are using VPS check your firewall logs. If you don't know how to then ask your hosting provider. For Managed server's they will have access.
2. Can plugins have backdoor access ?
Absolutely. Doesn't matter if it is nulled or original. This is internet and every second someone will try to find a new way to get details.
3. It is not a bot/crawler in your scenario i believe so. Even if you assume it is bot that cracked your admin details via what ever method. Then simply your firewall settings are weak and you need to learn to how to handle like strong password or setting up custom login page or blocking xmlrpc which are basic.
4. I have been using nulled plugins for quite sometime infact I test them on live server's. If i uninstall them then i will make sure leaving no traces of plugin behind form tables.
5. And firewall plugins always gives you a list of risks no matter you if it is original or nulled. So ignore them.
6. Most importantly when you are using nulled plugins then you should consider backing up your data on priority. Make sure to use some auto backup plugins like updraft.
7. Every plugin is vulnerable so is litespeed.
8. Unless you give logs of your server. No one can help you in specific.
9. If you are using Cloudflare. Then check firewall from security tab to see if you can find any clue.
Let's be little clear over your issue. I have read all the comments.
1. When someone entered into your website with admin details then possibilities can be unlimited. If you are using VPS check your firewall logs. If you don't know how to then ask your hosting provider. For Managed server's they will have access.
2. Can plugins have backdoor access ?
Absolutely. Doesn't matter if it is nulled or original. This is internet and every second someone will try to find a new way to get details.
3. It is not a bot/crawler in your scenario i believe so. Even if you assume it is bot that cracked your admin details via what ever method. Then simply your firewall settings are weak and you need to learn to how to handle like strong password or setting up custom login page or blocking xmlrpc which are basic.
4. I have been using nulled plugins for quite sometime infact I test them on live server's. If i uninstall them then i will make sure leaving no traces of plugin behind form tables.
5. And firewall plugins always gives you a list of risks no matter you if it is original or nulled. So ignore them.
6. Most importantly when you are using nulled plugins then you should consider backing up your data on priority. Make sure to use some auto backup plugins like updraft.
7. Every plugin is vulnerable so is litespeed.
8. Unless you give logs of your server. No one can help you in specific.
9. If you are using Cloudflare. Then check firewall from security tab to see if you can find any clue.
1- The hack was through plugin or theme they didn't have access to the back-end or the cpanel
2- It was backdoor for sure
3- Since I followed their step and added robot.txt didn't have the problem again and no one tried to login since.
7- I have already removed Litespeed.
8- I can't and won't share my login details I asked her and I included the backup plugins of the ones I was using that's all you need no need for my login details.
9- Not using Cloudfare but I'm considering moving from Namecheap
You have to stick to one point.
It was either from your plugin/theme or from bot crawling for vulnerabilities.
Because robots.txt is nothing but stops legit bots who obeys the rules as per your rules not the crawlers or hackers who dont care.
"It is like hacker is all ready with machines and tanks with army in place to destroy you and your robots.txt is merely a monkey standing with a banana."
My point is robots.txt is nothing. forget about it. It has nothing do.
100000's of users are using litespeed and if you are alone got hacked then it is not litespeed as well. Because if hacker found a loophole in litespeed. he would be hacking every possible site.
The suggestion is simple,
Check your firewall logs, increase security measures like mentioned in previous comment.
If you have knowledge on how to use firewall or want to protect server backened, simple buy VPS or Dedicated servers and block all bot crawlings and ip addresses. Using firewall plugins will only protect you to some extent.
At last i want to say something. If you are so sure that it happened coz of plugins or themes. Then share the list here in text format. Others will be little careful in the future.
Most importantly always scan downloaded files in virustotal. if you uninstall plugins make sure to remove the tables from database. Cheers!!!
Namecheap sucks
doubt it was litespeed cache, been using the plugin for years and I am sure they are not going to put a backdoor into the plugin, would not be good for business, besides it is a free plugin.
Robots.tx does nothing but tell bots what they can and cannot search on your website (if they follow the rules)
So probably another plugin or theme or something very insecure on your website.
I would strongly suggest to babiato, that it would be a good idea, to share the original version along with a nulled version in the Resource Section on babitato,
It will be very easy for each member to trace the malicious or backdoor code by comparing the original with nulled version. I hope @Babak and his team also include this compulsory in their terms in resource section. Thanks to babiato
It will be very easy for each member to trace the malicious or backdoor code by comparing the original with nulled version. I hope @Babak and his team also include this compulsory in their terms in resource section. Thanks to babiato
@Babak Please consider this suggestion. It will really help members to trace malicious codes and files.
Theme and plugin detectors for WordPress sites are not correct all the time. You can hide your plugins but not LiteSpeed cache. On my sites I hide all plugins but if I use a tool like builtwith or wapalyzer I see only litespeed cache. 2 Sites that happen to have litespeed in common is not evidence of a security flaw in litespeed cache. Why would a hacker that used the cache plugin want to tell you not to used nulled content, how would he even know you used nulled plugins or themes? This clearly not a issue with litespeed, most probably a backdoor in a plugin or theme.Bingo! I figure out why I was hacked. It was vulnerability in LiteSpeed Cache plugin!
I have attached a picture of the hacker leaving a message on website that uses "LiteSpeed Cache".
In less than 10 hours 2 website were hacked and left with that message and maybe more.
Mine and ssuaych.org! How do I know? I did scan plugins for ssuaych.org and they are only using LiteSpeed Cache along with other plugins and what we have in common? Just one plugin and it's LiteSpeed Cache.
I have deactivated it and deleted it.
You can all check the following article:
Word-press plugin lightspeed caches security flaws and how to exploit them | Briskinfosec
Stay ahead of potential security threats with our in-depth analysis of the security vulnerabilities in the popular Wordpress plugin, LightSpeed Cache. Learn how attackers may exploit these flaws and how to protect your website from potential hacking attempts.www.briskinfosec.com
So it wasn't the plugin I downloaded from here it was the goddamn LiteSpeed Cache.
Any thoughts?
- Status
Similar threads
