pierre

Very interested in this. One of my sites was attacked but runs the latest WHMCS so no big worry, but this is organized crime scanning all sites running WHMCS they can put their dirty hands on. (Using email whmcs0day@gmail.com by the way...) I work with some Amazon S3 / EC2 resources and have an account there - if anybody has infos on use by hackers feel free to report or share, I'm thinking they'd take that seriously. - - - Updated - - - And yes by the way, 2FA access should be a must.

Update: (on to table tblbannedips in the meantime to unban myself...): Back to the original pw for the admin so just removing the "yubico" value and all values in authdata: same, "Login Failed. Please Try Again. Your IP has been logged and admins notified of this failed login attempt." Giving up for now. - - - Updated - - - One last thing: I am travelling now and remotely controled a laptop from my office that I know had remained connected to our WHMCS today: I can perfectly use my whole admin account and use WHMCS in spite of the database changes I did...I guess if that browser gets logged out I'm locked out...

Ok in case that can help: I could not login with my main user, the admin account so to speak. I went ahead and copied the password and password hash value from those of a "subuser". No luck, still rejected. Oddly enough in my main user record, I had the fied "authmodule" that did contain the value "yubico" (my yubikey) while it was not asked during login. Then I changed the roleid number for that subuser to make him a temp admin, but now cannot login with that user either... Pending support tickets from my clients, this is frustrating. Please whmcs come up with a fix...

Interested in this thread, cannot login either, no 2FA activated. Could be server related as this dedicated in on PHP 5.2 , on Plesk, and that cannot changed simply.

Did this idea ever proceed ? Regards.

Just replying to follow-up, interested in this.

Joining the discussion ! We developped a custom module a few years ago, but it only worked with the specific French format (RIBs) and our module stopped working a few weeks ago in the middle of all those security upgrades. I am now looking for a long-term solution of a SEPA payment gateway following the new European requirements, that France also has to adopt by Fev 1st, 2014. Is there an existing working module ? Else interested in sharing resources to have one developed - I know I will so I'd rather have it benefit to whoever needs it, and I guess that will concern many WHMCS users in Europe. Have a nice day, Pierre.

Ok, keeping an eye on this thread, same exact error even though I did everything we were instructed. Waiting on fix. Edit: by the way, the results from whois.php are very incomplete for us, and miss crucial owner details.

Hi, We've been promoting Yubikeys for a long time, and can now use them in WHMCS at last. However we are 2 main admins working from different locations, and I can only see 1 Yubikey configuration ? Please confirm how each one of us can use their key as we do with all other services ? Best regards.

Currently in the middle of a few hours of work on a saturday to fix a critical WHMCS security issue that I feel was caused by a blatantly basic coding issue, sacrificing family time, does not make me too happy. At least I thought upgrading would now let us use 2FA security and Yubikey we've been promoting for years, just to realize now that it seems to be a paid addon ? Can someone clarify, as the only link I have from http://www.whmcs.com/two-factor/ takes me to a referal page to buy keys we already have. Do I get things wrong ? Could be as this AES injection issue really made my day...not. Edit: Ok, the admin section seems to show I can register 1 yubikey, no charge obviously, so it seems I got that wrong. Now on to ask how we can register our own key each as several people manage our sites...

Re: http://forum.whmcs.com/showthread.php?60646-WHMCS-Security-Alert "simply delete the /modules/gateways/boleto/ folder entirely after which you will not be at risk." Done. Should the boleto.php file above that dir i.e. inside /modules/gateways be deleted too ? At best it is now unnecessary ? (Could not post under that thread as it is closed).

Same issue here with the latest Firefox on Win7 64 bits, whereas all was fine before. "Thank you for logging in, pierre Click here if your browser does not automatically redirect you." then "You are not logged in or you do not have permission to access this page. "

I tried to order but got a Paypal message that this account could not currently receive funds. Do you use Moneybookers or have another solution ? Regards.

All very good infos, I forgot to trace and check how the domain worked. With all this they should hopefully be able to improve email communication, which helps in such times...

Their main domain seems in fact handled by Enom Domain name: whmcs.com Registrar: ENOM, INC. with I guess Hostgator being a hosting provider only. It seems they created their own (vanity) DNS, so nameservers for the domain are Name Servers: dns1.whmcs.com dns2.whmcs.com which means that SPF in the zones records can probably be edited live at Enom. Adding a txt/spf record takes a few seconds so I suggested to their support dpt they do it to avoid further communication issues during those difficult times. Also a good reminder that having separate providers for such critical issues such as domain name and dedicated servers makes sense. At least if hosting goes very wrong, DNS can be edited to redeploy hosting in a matter of hours to keep a line of communication open. As for further security measures to avoid such nightmares, I've always been a advocate of double-authentication or 2FA, but I guess as professionals WHMCS will be working hard on this in the next few days.

Very good point. I forgot to check SPF but this is a major criteria these days. I suspect however that those records not being up-to-date are one of the consequences of the social engineering hack mayhem. Unfortunately nobody but WHMCS can access the DNS records to update those, so in the meantime checking for spam folder contents remains a safe bet. I think I'll notify their support.

In case it may help others, be aware than for a Gmail or Google Apps address, or if you receive an external email on a Gmail interface, the password reset message was sent to Junk/Spam folder. Spam filtering criteria remain confidential for obvious reasons, and just because you received messages and invoices from WHMCS before does not mean that one message will not be mistaken for spam. Each message receives its own evaluation. So especially on Gmail but also with any provider, I advise anybdy to double-check their Spam folder.

I can go until the pw change form, but on submitting it seems to time out. It must have been a horrible day for WHMCS to whom I extend my sympathy, but on follow up I can see all details about the culprit seem to be at large too. Payback time.

Very interesting, any update on that module ? Does it work fine with the latest WHMCS ? Best regards.

Hi, The doc says .extension|whois server|match string but I cannot find infos to look up .SO domains. Has anybody configured .so domains in their WHMCS ? Thanks !

Hi, Do you have a direct email address ? I cannot seem where to send private msgs here. Regards.