Jump to content


Level 2 Member
  • Content count

  • Joined

  • Last visited

Community Reputation

17 Good

About penguin

  • Rank
    Level 2 Member

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. penguin

    cPanel Password Security

    cPanel passwords are visible in plain text under the username field when viewing the product details, which is where I assume the issue has arisen from. My previous comment still stands though - someone shouldn't have got that far anyway so the root cause of that access needs to be determined.
  2. penguin

    cPanel Password Security

    > How can this be prevented in future? My question would be how was your WHMCS installation compromised? If they had access to either your database or WHMCS admin access then encrypted passwords is the least of your worries as you would still have full access to everything else - an encrypted password with an WHMCS admin exploit would still allow someone access to the hosting accounts via single sign on, password reset, etc. You need to determine how this happened from a WHMCS perspective and secure this accordingly.
  3. penguin

    Time Based 2FA Not Working Anymore

    Have you checked the time on your server? This needs to be synchronised with a time server as drift will cause this to fail, being time based tokens
  4. WHMCS have come back to me regarding this and there is now a case CORE-12285 regarding this issue. They have suggested in the meantime creating a dummy £0.00 invoice to prevent clients from being deleted, however this isn't practical for general use as it would be confusing for customers having a zero priced invoice created and also it would mean tracking these as and when they sign up.
  5. We've been testing the new "Automatically Delete Inactive Clients" function that was implemented as part of the GDPR enhancements to automatically remove clients who did not have an invoice within a defined number of months. An issue has been noted however in that if a ne customer registers an account yet does not order immediately, when the cron runs their account is deleted as they have no invoice generated within the number of months specified. I've opened a ticket with WHMCS asking for clarification on the logic surrounding the deletion process to better understand this. If you are using this function and have any customers that have either not placed an order, or maybe use an account for support tickets only then there is a good chance they are going to be deleted so please be aware until further clarification has been given by WHMCS. If this is the case, I'd be interested to see what others think should be used to enhance this - should it look at tickets or logins within the same timeframe or have a separate timeframe for these? It certainly doesn't look good if a new customer opens an account and then hours later they are deleted because they haven't ordered.
  6. penguin

    Private WHOIS Protection Module

    You mention that this is in light of GDPR, however since this has been implemented it has effectively made Whois privacy as a service worthless as whois details are now hidden automatically and at no cost to the registrant
  7. Yes, this was omitted from the upgrade. If you download the full package you can just upload that separately
  8. It's because they are not passing a user agent with the curl request and so this blocks it. A simple fix but nothing from them for this yet
  9. We've got a bug open with WHMCS regarding this - the issue is that the check triggers a modsecurity rule as it's not using the correct curl syntax when checking the certificate. It's either a case of whitelisting the rule, or waiting for a fix from them to use the correct curl commend in this check. It doesn't have any operational issues though as you know the SSL cert is working correctly.
  10. penguin

    Health & Updates : Warnings and Failures

    For info, I've got a bug filed against this (#CORE-10834) - the reason this is often being seen is that the curl command is triggering a mod security rule due to no useragent being passed with the curl connection, therefore as WHMCS does not see a 200 response it shows as an SSL issue.
  11. penguin

    curl system health

    That's just a list of what they offer - you would need to check with them if they actually keep the packages up to date as the version numbers won't change for most of these
  12. penguin

    curl system health

    It's safe to ignore as long as you are on a Redhat/CentOS v6 server and it is fully up to date - you would need to confirm that with HostGator though if you're not managing your own server. Being a shared server however has no reflection on whether or not it is being maintained and kept up to date.
  13. penguin

    curl system health

    If you're running CentOS/Redhat v6 then you don't need to do anything. This is the shipped version and as long as your OS is up to date then this is secure. Redhat/CentOS backport fixes into the same version, therefore this will always remain as 7.19.7
  14. Yes, 6.3.2 is the current, secure version within the 6.x branch - the other notice is just because v7.1.1 is newer and also available as an upgrade
  15. penguin

    maxmind quit working says invalid key

    We had the same issue. Maxmind recently updated their billing for products and in the process cancelled the legacy free service what WHMCS users used to receive. They did admit however that they failed to notify anyone about this.

Important Information

By using this site, you agree to our Terms of Use & Guidelines