Spam support tickets

[speckster]

I am Tired of hackers trying to inject my WHMCS contact form with: { php } eval ( base64 _ decode ( ' ' ) ) ; { / php }

 

I decoded it and its:

 

 
I keep blocking IP's and the emails but I get close to 30 a day and I have the WHMCS spam setting done and they still try so I had to make it clients only! I setup the WHMCS live-chat for pre-sales questions.

[elf]

yeah I'm getting the 'php eval base64_decode' spams being submitted through the pre-sales contact and submit ticket pages (niether of which require a login). Re-captcha is enabled on all pages, and I'm running the latest version of whmcs.

 

Is Google's re-captcha service as easily defeated as it seems to be, or is WHMCS's implementation of it flawed in some way?

[bear]

Is Google's re-captcha service as easily defeated as it seems to be, or is WHMCS's implementation of it flawed in some way?

Or option 3, they're manually submitting and manually entering captcha. They can use a script to find your installation, but might be manually following up.

[m8internet]

I've been looking into what some people have been reporting and how they initially find your website

 

The obvious ones :

"powered by WHMCS"

"powered by WHMCompleteSolution"

 

However last week I noticed a new search

"WHMCS 3.0.1"

 

Equally, I agree they are semi-automated

The bot finds the installations and then once found they process the script manually

 

I suspect the process is to obtain a copy of the credit card details, as noone seems to have reported anything other than database access

[Ashley.S.]

One of my clients reported that this hack somehow got into their database and then obtained their reseller login details and decided to "hack" all indexes present.

 

After performing the restores, All I told him to do was to ensure that his passwords were secure, that he'd applied the patch, and to contact WHMCS directly if it persisted after the patch has been applied since it's not a direct server vulnerability, more with the script in use otherwise all accounts on the server would have been affected.

 

I think the best option would be to either improve the spam filters to also include ticket submission & not just via emails piped to the database and/or set a limit as to how many characters can be added into the subject box.

[bear]

However last week I noticed a new search

"WHMCS 3.0.1"

3.0.1? How odd.

I suspect the process is to obtain a copy of the credit card details, as noone seems to have reported anything other than database access

I've seen threads in various places where they gained access to far more, including user accounts, servers (root), admin access to WHMCS, adding shell scripts and more. Make no mistake, this is not a "simple" thing at all, but patching or updating corrects it from then on, at least. If your server was allowing eval in php, and you were running an unpatched WHMCS, you were at serious risk.

[m8internet]

3.0.1? How odd

I know, I had to look at the server log to check this

I've seen this about 8 times now

I suspect this is looking for users of WHMCS who have not upgraded, and as a result the patch will not work (as it is written for v4.x onwards)

 

Equally, I have done a test with a void WHCS installation (files only, no database)

It was just three days before an attempt was made to visit the three files to access WHMCS

I have also noted they have never revisited since so presumably they updated their records so that they didn't visit again

 

Finally, the most come from installations where the default folder names are used

I think this should be made more of a priority

I learned this one from using phpBB, never to use the default folder names, this vastly cuts down on the risk

Edited January 12, 2012 by m8internet

[Blueberry3.14]

Or option 3, they're manually submitting and manually entering captcha. They can use a script to find your installation, but might be manually following up.

 

At least in my experience, this seems to be the most prevalent and a growing trend.

 

http://www.smh.com.au/it-pro/security-it/virtual-sweatshops-defeat-antispam-tests-20120110-1psej.html

[elf]

Or option 3, they're manually submitting and manually entering captcha. They can use a script to find your installation, but might be manually following up.

 

*sigh*

yeah that's certainly what they're doing, now that you've pointed it out.

 

search terms so far this month:

 

- site au powered by whmcompletesolution submitticket.php?step=

- allinurl /cart.php?a= site .au

- powered by whmcompletesolution hosting - submit ticket

 

and viewing my logs shows that its a normal firefox browser that is manually submitting the support ticket numerous minutes after hitting the site.

 

Anyone got any tricks for limiting the length of the text area field contents (refusing to submit if longer than the limit), and/or filtering out submissions that contain such strings appearing together as "php" "eval" and "base64_decode" ?

[m8internet]

Anyone got any tricks for limiting the length of the text area field contents (refusing to submit if longer than the limit), and/or filtering out submissions that contain such strings appearing together as "php" "eval" and "base64_decode" ?

This depends on if you want a counter, or to simply cut off after so many characters

Therefore there are various methods

 

The simple one is to add this to the MySQL database

tblticketreplies

Sructure

Length/values

Insert XXX

 

Now I have done character counts of the code and it is typically between 1500 and 2200 characters

I doubt a customer will ever submit such a long ticket, so I use 1200

[bear]

The simple one is to add this to the MySQL database

I don't believe this has to do with inserting into the database. If I understand it correctly, it's being parsed by Smarty as it's being submitted, prior to inserting the values, though that insertion isn't the target.

I could be mistaken, but I think all your effort would do would be to prevent the ticket from being saved/inserted in the DB. It would still post.

[WIS hosting]

I think it would be better for WHMCS to increase the security of the Captcha since I do not pipe the emails to the ticket system and i am still receiving spam.

 

A client of mine was receiving a lot of spam in his Phoca guestbook. Since the latest version Phoca has included Re-Captcha and Akismet. This solved all the problems.

 

Maybe a nice feature for WHMCS to do the same?

[m8internet]

I think it would be better for WHMCS to increase the security of the Captcha since I do not pipe the emails to the ticket system and i am still receiving spam

As above and now well documented, the exploit is processed manually, so cannot be processed as spam

What you end up receiving is the normal email from a new support ticket or sales enquiry

 

I have tested and applied the "text exclude" script and this works perfectly well

If a new support ticket is submitted then a message appears

Although rather basic, it works

 

*REMOVED

Save as :

evalblock.php

in the folder :

/includes/hooks/

 

I note the script has 'message' but only works on the subject line, and this is good enough (for just now)

You can repeat this same script for other words and phrases, just give each a unique filename

Edited February 23, 2012 by WHMCS Andrew
Code Removed

[WIS hosting]

As above and now well documented, the exploit is processed manually, so cannot be processed as spam

What you end up receiving is the normal email from a new support ticket or sales enquiry

 

Yes indeed, Re-Captcha would not work in this case because it is put there manually.

But in combination with Akismet it also validates the input and I guess it would filter these messages out.

[Ashley.S.]

As above and now well documented, the exploit is processed manually, so cannot be processed as spam

What you end up receiving is the normal email from a new support ticket or sales enquiry

 

I have tested and applied the "text exclude" script and this works perfectly well

If a new support ticket is submitted then a message appears

Although rather basic, it works

 

*REMOVED*

Save as :

evalblock.php

in the folder :

/includes/hooks/

 

I note the script has 'message' but only works on the subject line, and this is good enough (for just now)

You can repeat this same script for other words and phrases, just give each a unique filename

Thanks for this, that should help a lot

Edited February 23, 2012 by WHMCS Andrew
Code Removed

[elf]

I have tested and applied the "text exclude" script and this works perfectly well

 

gold Jerry, gold!

 

works well for now

[Kanistic]

Thanks, this will be very helpful, just received another spam message today, so annoying.

[curseddagger]

I have been getting these attacks over the last few days too.

 

Seems like they are getting a list of anyone running whmcs through a google query such as inurl:.com.au/submitticket.php

 

then they are trying to exploit the smarty template system (manually so captcha/recaptcha doesn't help) into reading from the database and/or injecting a rootkit. the latest attack today consisted of a rootkit injection and SQL dump of payment gateway details, CC details, usernames/passwords, root access details, etc.

 

Does anyone know if this vulnerability has been fixed in version 5.0.3?

[rodeoXtreme]

...I have tested and applied the "text exclude" script and this works perfectly well

If a new support ticket is submitted then a message appears

Although rather basic, it works

 

Thanks M8 - We have been getting a number of unsuccessful attempts every day and since installing the text exclude script, I have not seen one come through. Keeping our fingers crossed.

 

Thanks again!

[curseddagger]

I have implemented something like this in includes/hooks/phpevalblock.php

 

you could also expand it to block the offending IP address via afirewall rule very simply.

 

*REMOVED*

Edited February 23, 2012 by WHMCS Andrew
Code Removed

[m8internet]

you could also expand it to block the offending IP address via afirewall rule very simply

In theory blocking IP is useful, but it also blocks potential and valid visitors

Equally, the users (employees of a company offering this service) of this script vary their IP address as they are using a proxy

 

As an example they were recently using an IP address from Japan, but this would have blocked several of my existing customers

[curseddagger]

In theory blocking IP is useful, but it also blocks potential and valid visitors

Equally, the users (employees of a company offering this service) of this script vary their IP address as they are using a proxy

 

As an example they were recently using an IP address from Japan, but this would have blocked several of my existing customers

 

Precicely. That is why the script i posted does not blacklist the IP address, i was just putting the idea out there. Thanks for your feedback!

 

Cheers,

 

James

[Oll Korrect]

In theory blocking IP is useful, but it also blocks potential and valid visitors

Equally, the users (employees of a company offering this service) of this script vary their IP address as they are using a proxy

 

As an example they were recently using an IP address from Japan, but this would have blocked several of my existing customers

 

To add to this, IP blocking will not stop professional spammers using changing compromised computers all over the world, only some legit users and teen hooligans/vandals

[easyhosting]

As above and now well documented, the exploit is processed manually, so cannot be processed as spam

What you end up receiving is the normal email from a new support ticket or sales enquiry

 

I have tested and applied the "text exclude" script and this works perfectly well

If a new support ticket is submitted then a message appears

Although rather basic, it works

 

*REMOVED*

Save as :

evalblock.php

in the folder :

/includes/hooks/

 

I note the script has 'message' but only works on the subject line, and this is good enough (for just now)

You can repeat this same script for other words and phrases, just give each a unique filename

 

 

if you do this you will find this also block you from doing certain things f rom within your Admin area, scuh as creating or amending email templates.

Edited February 23, 2012 by WHMCS Andrew
Code Removed

[Firestorm]

I agree about it blocking editing email templates, but it could be tweaked to look for "base64_decode" instead of "{php}" to fix that, right?