davey

Did you set up the recaptcha for unregistrated users? If not, this can prevent tickets like these aswel.

I had about a year ago alsof this kind of support ticket, this only happend once. Did you restricted the support departments for registrated users only?

The date what is displayed is the date till when this ip has been banned, not the date since when he got banned

Don't think that would be a option to be honest. Thereby, this guy uses proxy's also located in usa. These ip's he already used on our website. 50.116.74.228 Hack attempt 02/12/2031 11:29 192.185.83.219 Hack attempt 27/11/2031 11:54 192.185.83.177 Hack attempt 26/11/2031 00:02 168.144.134.227 Hack attempt 25/11/2031 11:51 192.185.81.218 Hack attempt 25/11/2031 11:50 192.185.2.236 Hack attempt 21/11/2031 13:10 216.246.79.37 Hack attempt 16/11/2031 12:46 199.241.186.134 Hack attempt 15/11/2031 17:02 50.61.165.3 Hack attempt 15/11/2031 09:27 192.185.83.176 Hack attempt 13/11/2031 22:34 198.1.71.233 Hack attempt 08/11/2031 21:12 192.254.69.110 Hack attempt 08/11/2031 19:43 192.185.83.10 Hack attempt 01/11/2031 20:52 192.185.2.252 Hack attempt 29/10/2031 18:27 37.247.121.196 Hack attempt 28/10/2031 20:56 184.107.244.250 Hack attempt 28/10/2031 10:09 199.91.126.193 Hack attempt 27/10/2031 16:56 192.185.2.30 Hack attempt 17/10/2031 12:45 173.199.142.17 Hack attempt 16/10/2031 12:13 198.46.141.122 Hack attempt 14/10/2031 13:50 142.0.138.193 Hack attempt 09/10/2031 17:48 188.40.130.120 Hack attempt 08/10/2031 13:53 199.201.88.69 Hack attempt 06/10/2031 10:36 178.32.239.141 Hack attempt 03/10/2031 13:28 192.157.220.120 Hack attempt 02/10/2031 16:20 204.93.159.77 Hack attempt 02/10/2031 11:50 108.170.46.130 Hack attempt 01/10/2031 02:14 108.175.145.28 Hack attempt 30/09/2031 14:11 108.179.225.71 Hack attempt 28/09/2031 11:52 192.185.2.31 Hack attempt 26/09/2031 15:34 188.165.14.158 Hack attempt 26/09/2031 15:25 75.127.126.17 Hack attempt 29/08/2030 14:25 68.64.167.182 Hack attempt 29/08/2031 14:25 216.185.103.164 Hack attempt 25/08/2030 11:14 79.106.109.243 Hack attempt 24/08/2030 01:49 39.250.33.211 Hack attempt 08/01/2032 13:12

Hi, This guy is trying to exploit our whmcs system aswel for over a 5 months now. Almost each day he tries to get acces to our servers with a new account each day. Also read this post: http://forum.whmcs.com/showthread.php?93239-Spam-Account-Keeps-Registering&p=393526#post393526 If you want all ip addresses what i've banned so far, please contact me.

We have this guy now for months on our site. Each ip we have been banned manually. Might be interested to share these ip's. IP Address Ban Reason Ban Expires 178.32.239.141 Hack attempt 03/10/2031 13:28 192.157.220.120 Hack attempt 02/10/2031 16:20 204.93.159.77 Hack attempt 02/10/2031 11:50 108.170.46.130 Hack attempt 01/10/2031 02:14 108.175.145.28 Hack attempt 30/09/2031 14:11 108.179.225.71 Hack attempt 28/09/2031 11:52 192.185.2.31 Hack attempt 26/09/2031 15:34 188.165.14.158 Hack attempt 26/09/2031 15:25 75.127.126.17 Hack attempt29/08/2030 14:25 68.64.167.182 Hack attempt29/08/2031 14:25 216.185.103.164 Hack attempt25/08/2030 11:14 79.106.109.243 Hack attempt24/08/2030 01:49 39.250.33.211 Hack attempt08/01/2032 13:12

It is not, i would advise u to remove the rule, and ban his ip. This is the same person what is bugging us for weeks now. - - - Updated - - - Might be usefull to share the ip's where they order from. Most of them are proxy servers but you never know... 108.170.46.130 Hack attempt 01/10/2031 02:14 Delete 108.175.145.28 Hack attempt 30/09/2031 14:11 Delete 108.179.225.71 Hack attempt 28/09/2031 11:52 Delete 192.185.2.31 Hack attempt 26/09/2031 15:34 Delete 188.165.14.158 Hack attempt 26/09/2031 15:25 Delete 75.127.126.17 Hack attempt 29/08/2030 14:25 Delete 68.64.167.182 Hack attempt 29/08/2031 14:25 Delete 216.185.103.164 Hack attempt 25/08/2030 11:14 Delete 79.106.109.243 Hack attempt 24/08/2030 01:49 Delete 39.250.33.211 Hack attempt 08/01/2032 13:12 Delete

Well, we still have those orders on a daily basis. Current version: 5.3.10 See the attachment for more details. Below u see the rules what they have entered in some fields: AES_ENCRYPT(1,1), address2= (SELECT MAX(password) FROM tbladmins) AES_ENCRYPT(1,1), address2= (SELECT MIN(username) FROM tblservers) AES_ENCRYPT(1,1), city= (SELECT GROUP_CONCAT(0x3a3a3a3a3a,id,0x3a,username,0x3a,email,0x3a,password,0x3a3a3a3a3a) FROM tbladmins) syntaxerror Regards, Davey

Did u make sure u selected the "[]Tick to use SSL Mode for Connections" box?

Hi, Since i've updated whmcs to the latest version i've noticed that when WHMCS tries to create/suspent/delete a webhost package it is unable to login "LOGIN FAIL" When i press the WHM button, i am logged in, so the details are correct. I've saw that this issue has been on alot earlier, but nothing recent. Any suggestions? Kind regards, Davey

Same here, never had these fake orders incombination with these mysql rules. Any suggestions to prevent these? Do i need to be worried?

Last night we've received another registration of a fake order, this might be hacking attempts. Again a other ip address with other account details. These details were filled in: Address 1: syntaxerror Address 2: syntaxerror E-mail: andriroot@gmail.com City: AES_ENCRYPT(1,1), city= (SELECT GROUP_CONCAT(0x3a3a3a3a3a,id,0x3a,username,0x3a,em ail,0x3a,password,0x3a3a3a3a3a) FROM tbladmins) Domain: hacked-by-dm-team.com -- If i'm correct this city rule is related to receive the admin details trough the database.

In the attachment u see both orders, the call of duty server and the webhosting.

i'm not sure if it is the lack of my english or that i am not clear. The point is that the product has been created while it has not been approved, this fake client received the details of the product while it is still pending. The order is still active and has not been changed. I only banned these ip's from my WHMCS. I'm sure you have my details to login, see last support ticket.

I know it would make sense for the autocreation, but not for the webhosting does it?

Yeah, i already banned that ip, but the next order aprox 12hours later came from a other server (proxy). So it keeps on goin. In the attachment u see the COD 2 configuration (where this order is about) and the webhosting configuration (the order what came after this one)

Correct, below u can see the activity log. There is nothing abnormal what i can find. 12 hours later, (probably the same user) ordered webhosting, exactly the same thing happend. The only difference is that webhosting is not set on autocreation. Game servers is. 17/08/2014 01:46 Email Sent to bardhi gogo (New Product Information) - User ID: 107 Client 79.106.109.243 17/08/2014 01:46 Module Create Successful - Service ID: 236 Client 79.106.109.243 17/08/2014 01:46 Running Module Create on Order Client 79.106.109.243 17/08/2014 01:46 Email Sent to bardhi gogo (Order Confirmation) - User ID: 107 System 79.106.109.243 17/08/2014 01:46 Created Invoice - Invoice ID: 340 System 79.106.109.243 17/08/2014 01:46 New Order Placed - Order ID: 219 - User ID: 107 System 79.106.109.243 17/08/2014 01:46 Email Sent to bardhi gogo (Welcome) - User ID: 107 System 79.106.109.243 17/08/2014 01:46 Created Client bardhi gogo - User ID: 107 System 79.106.109.243

As said before, the automation setup is not enabled. I need to aprove each order, so a automated setup is not possible unless i approved the order (which i did not) the details of this "customer" are fake, and received the product information. This should not be possible as i need to approve each order.

Yes that's correct. The order has not being processed with the status pending. This "customer" did received the product information while it is still pending. I had this once like a year ago, but this is now the second "customer" in the past 2 days. I think there is some glitch or bug in the system.

Thank you for your reaction, Yes we have, to order something the customer needs to fill in the re-captcha in google code. For some reason it looks like they are able to send also the confirmation mail. The confirmation mail never sends automatically, only when a order has been approved. Any idea what they are doin?

Hi Since a week or so we are receiving several fake orders. For some reason they are able to create a account (while clients must puchase a product first), order it and send a order confirmation mail. We need to aprove each order manually as extra security but this is really annoying and costs alot of time to sort it out. Any suggestions to avoid this? Kind regards, Davey

Thnx. I just noticed that since the update to 5.3.8 also other TLD domains are Unavailble like .com, .eu, .net, .info What's wrong?

Thnx you for your reply Lance, Which line do i need to add? This line is already active in my whoisservers.php: .gr|[url]http://grwhois.ics.forth.gr:800/plainwhois/plainWhois?domainName=|HTTPREQUEST-not[/url] exist

Hi, I've added the tld here: setup> configuration> add domain The tld is .gr

Hi Recently i've added a TLD. While checking the domain name it returns in a Unavailable message while the domain is availible. Any suggestions?