Support » Plugin: Backup, Restore and Migrate WordPress Sites With the XCloner Plugin » It got hacked and sent out 9,000 spams

  • I may have installed it on a client’s client’s website and it got hacked from the ukraine and sent out 9,000 spam emails before the host caught it. Interesting how the developer won’t tell us where he is from.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Hello kirktalon, I am sure that this plugin is not the culprit for your website getting hacked. This is a backup plugin, all it does is backup your site and restore it.

    Can you let us know how you came to believe that this plugin is the culprit of your website being hacked?

    Kind regards

    Hi mbrsolution:

    I came to this page for a couple of reasons, but I had the same experience as kirktalon. My host sent me the following:


    It’s come to our attention that your [domain omitted] (gs) Grid-Service has been compromised and is hosting malicious files. These files are being used to relay spam and attack other servers on the Internet. This degrades your service, as well as the service of others, and is a large consumer of resources overall. While the plugin developer has not yet confirmed the presence of a vulnerability, we have noticed malicious scans targeting the ‘xcloner-backup-and-restore’ plugin installed at the following path:

    [path omitted]/html/wp-content/plugins/xcloner-backup-and-restore

    As a result of the malicious scans, we found malicious files created on your (gs) Grid-Service through the requests made to the aforementioned plugin:

    [path omitted]/html/wp-content/plugins/xcloner-backup-and-restore/language/rbbr1i.php

    To prevent further compromise and abuse of your (gs) Grid-Service, we’ve been forced to disable web access to the domain [domain omitted]. We are waiting for additional information from the plugin developer before we can recommend a proper course of action to resolve this issue, but for now we would recommend deleting or evaluating each of the files listed above, and going through your site’s content to verify no additional malware has been added. We cannot re-enable this domain until you have completely removed this plugin and the malware injected.

    Hope this helps.

    Hi @nick, thank you for the information. That will definitely help the developer investigate further and find a solution.

    Once again thank you for sharing your issue here.

    Kind regards

    Here is what the host of the website wrote minus the domain.

    “xcloner 3.0.9 was exploited.

    Someone from the Ukraine got in through {domain omitted}’s xcloner’s PHP files and uploaded their own bad php script which sent out over 9,000 spams non-stop.

    I caught it after that happened, and removed the plug-in from the site.

    I highly suggest you don’t put it back, and even though there is an upgrade
    available, the reason you might need an upgrade is because the backup
    program is letting hackers in… ”

    Hi @nick and @kirktalon, have you tested the latest version 3.1.0?

    The following is what has been included in the latest version.

    added WordPress login-less integration
    plugin settings are now saved to database
    security audit and hardening

    Security audit and hardening probably has fixed the issue reported here.

    Kind regards

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘It got hacked and sent out 9,000 spams’ is closed to new replies.