Phobic

A very long night indeed. I pointed out to WHMCS that we could grab firstname data back from all customer's welcome mails - and they assisted in writing up a script for that, which thankfully assisted me in getting some sleep. WHMCS also assisted me in writing up a mass password reset script.. which would have actually crashed out php as it was unthrottled, so after writing up some quick throttle control for it, everything went well. However, from a quick twitter search, I can see a lot of hosts got people slightly sharper than the script kiddies who found us - entire databases getting scraped, all tables getting dropped etc. Still a catastrophic mistake on WHMCS's part; a lot of businesses came to a swift end last night, due to what I'm still having trouble seeing as being anything more than a back door. Very disheartening For those asking - we use unbranded WHMCS.

Our backup server went down due to HDD Failure - we're around a week and a half without backups, but we're still trying to recover data from our old hard drive. Due to the nature of the failure, the RAID 1 backup did us no good - as corrupted data got mirrored on the second drive. While we're working on getting this back, there's no quick fix. We do have Mod_Sec running and fully up to date; so I don't know why that didn't kick into action. The script kiddie in question actually contacted me, demanding money for a fix; after informing him he didn't use a proxy, and that I'm aware of what script he used, he began apologising. He's in the UK, so pursuing charges against him is a possibility.. but as he appears to be a juvenile (who admitted he didnt know what the script would actually do), I doubt that'll go far. And it definitely won't assist our customers either. Right now the only solution I can really consider is mass-resetting all passwords to a random string, emailing on the updated password along with information on the attack to our clients, and consider a new billing platform. If you read through the exploit, it's very explicit on accepting AES_Encrypt data - it really looks like an intentional backdoor. I can't see any use for it otherwise.

With this, we have also found that every single 'password' column in our database was also altered. From reading through the code on the exploit, the code for this exploit should never, ever have existed in the first place. It was either put in place by a Computer Scientist on his first day in college, or put in as a backdoor for WHMCS. I would hedge my bets on the latter. I would expect WHMCS to find themselves as destroyed as the companies affected by this - if not by reputation, than by legal action from the business owners who found themselves shut down tonight.

Due to the exploit spread today by WHMCS, and the fact that no email has even arrived yet warning us of this absolutely massive, elementary mistake by the WHMCS team, our database was exploited earlier this evening, with 28,000 accounts having their firstname field authored, and then us receiving an email containing all md5 passwords that were stored on our system. We contacted support, who asked us to update our whmcs installation. We specified in our first mail that we updated immediately after being made aware of this exploit, following the attack carried out. Considering an exploit at the level of a full database scrape being made available is something that would bring an absolute end to almost every whmcs-powered business (and whmcs itself), I expected a more thorough, and professional response - at least one at a level that would imply our ticket was actually read and acknowledged. What's actually happening at WHMCS at the moment? Are people drunk at the wheel? And I would also strongly recommend everyone who has a WHMCS account to change their password immediately - if db scraping is as easily carried out by the released script, you can guarantee that the WHMCS database is in the hands of several people at this stage.

As we're getting no response from the support team, I thought I'd ask here - as I can see from other posts, that several other users are having serious problems since upgrading to WHMCS 5.2 after the advised security update. Most importantly, our tickets and live chat system are entirely down. Tickets are coming back with a JSON install error (our php install is up to date, and, compiled with JSON); this means Customers can't submit tickets, and staff can't read tickets. Our second line of defense, Live Chat, is also down - citing a server validation issue. We're up to date on payments, have updated Live Chat, and attempted a license reissue; no dice. We're entirely offline. Mass mailing is down, with the mailer returning with "Invalid email address" on every account; while displaying a valid email. Finally, our admin section is completely distorted - citing JSon errors, and general display issues. We of course cleared out our server cache, along with our storage cache. Clients are completely unable to request support, and we're unable to give it; and we're hearing reports that paid orders are also failing. We handle several thousand clients, and this update has absolutely crippled us without warning. We'd almost be better off with a gaping security exploit than this. Can anyone shed any light on what might be going on at the moment? Or why WHMCS' support team seem to be AWOL?

Hey all, Just thought I'd post and say I solved this myself - did it through standard SQL rather than go through the WHMCS reports. If anyone else ever finds themselves needing this, the query is; SELECT tblinvoices.id AS 'Invoice ID', tblclients.id AS 'User ID', tblinvoices.datepaid AS 'Date Paid', tblinvoices.total AS 'Total paid', tblclients.country AS 'Country' FROM tblinvoices, tblclients WHERE tblclients.id = tblinvoices.id AND tblinvoices.status = 'Paid' AND tblinvoices.datepaid LIKE '2012-05%'; Mods can feel free to lock this now

Hi, I'm trying to do up a quick custom report, similar to the current transactions CSV - However, I only need the following information in it; 1) Invoice ID 2) Full name 3) Transaction ID 4) Amount paid 5) Country Preferably, I would like to be able to split this by month. I'm looking to get this done up to make it easier to balance our tax books. If anyone could assist me with this, I'd greatly appreciate it.

er..anyone?

I'm sure this is due to me completely overlooking something during my WHMCS setup - but I honestly cannot figure out for the life of me how to repair this. My login page loads up fine - but when attempting to log in, I am instantly redirected to yourdomain.com . I cannot access the admin panel, nor can I see any setting in configuration.php that could be doing this. Has anyone any ideas on how I can restore this back to my own URL? -Phobic