my WHMCS hacked twice so far

[gab007]

Since my client's WHMCS has been hacked twice - I have started some digging. Came across this statement in this forum:

 

" Hi,

Having reviewed the codebase in WHMCS over the last 2 years, I can confirm there is NO SQL injection exploit as was detailed in that post/website.

It could have been present in much older versions that are no longer licensed or supported but anybody running those is using a nulled/illegal copy of the software which often have numerous security issues anyway.

If you're running a valid WHMCS license you can rest assured that this will not affect you and no updates are needed.

Matt

█ WHMCompleteSolution

█ The Complete Client Management, Billing & Support System

█ www.whmcs.com"

 

Wrong. Somehow, they did get in. Twice.

 

Of course, the replies are closed, so I am opening this post.

 

Honestly, I don't know what type of hack was used to break into the script. This is the second time my client got hacked using this script in the last 6 months, under the following circumstances:

 

- admin folder was renamed

- complicated username and password

- 3 unsuccessful logins get you banned

- my clients is using a perfect legal copy provided by his hosting company

 

So for you all WHMCS security wizes: GET YOUR "SHOOT" TOGETHER!

 

Also, don't bother deleting my post, - I will make sure that this gets proper media coverage. Unacceptable for a paid "solution" like yours.

[Matt]

My post you're quoting must be relating to a specific security advisory post from some time ago, so not sure how it relates to your issue here? It was not wrong, the security advisory it related to was completely false.

 

On to your claims, do you actually have some particular evidence from your server logs that shows your client has been hacked through or as a result of WHMCS? Or are you just making an unfounded assumption? As if you have proof then certainly please provide that to us for review.

 

A couple of things you should be considering: 1. are you using WHMCS in a private environment (ie. not shared)? 2. have you looked for shell scripts on your server?

 

Matt

[othellotech]

Since my client's WHMCS has been hacked twice

Evidence ?

[mylove4life]

I hate when people post crap like this when they are just clueless about servers and running them....

[gab007]

I hate when people post crap like this when they are just clueless about servers and running them....

 

@mylove4life & othellotech:

1. I not here to ask for help or provide you with evidence. Like it or not this is a FACT;

2. I don't think you know me to class me as "clueless", so please show some respect.

 

@Mat:

- yes, using shared hosting (reseller)

- yes, I have looked for scripts inside the root folder, have found none. Logs show hacker's activity, it seems that they sent several emails to themselfs, I suspect MySql injection was used.

- if you need logs, I can provide them.

 

We'll move on with other plans, this post is just to let you know that hacking WHMCS is do-able (c'mon, twice in 6 monts...?), - and it's really up to you if you want to do something about it (apart from calling me clueless).

[jeremyhaber]

@mylove4life & othellotech:

1. I not here to ask for help or provide you with evidence. Like it or not this is a FACT;

2. I don't think you know me to class me as "clueless", so please show some respect.

 

@Mat:

- yes, using shared hosting (reseller)

- yes, I have looked for scripts inside the root folder, have found none. Logs show hacker's activity, it seems that they sent several emails to themselfs, I suspect MySql injection was used.

- if you need logs, I can provide them.

 

We'll move on with other plans, this post is just to let you know that hacking WHMCS is do-able (c'mon, twice in 6 monts...?), - and it's really up to you if you want to do something about it (apart from calling me clueless).

 

Hmm, you are using a shared environment. Meaning you have no direct access to the server?

 

Let's say, someone gets access to this shared server you are on. One of the users finds an exploit. They now have access to your database and all your files. Opps now it's really easy to gain access to your WHMCS.

 

Or another explanation: Your host outsources server admins to come into the server and adjust settings. These admin's (usually highly skilled) now have access to all your files... so on and so on.

 

You should really be on a closed environment. Looking at all the facts. It's more likely someone has access to the shared environment that really shouldn't then WHMCS having a vulnerability. I suggest you move to another host and use a VPS rather then a resellers account. Trust me once you go VPS, you wont go back

 

Anyways you should send Matt the logs in a ticket and he should be able to look into things for you. Don't post the logs here as they may have private data.

Edited February 28, 2011 by jeremyhaber

[xeqution]

@mylove4life & othellotech:

1. I not here to ask for help or provide you with evidence. Like it or not this is a FACT;

2. I don't think you know me to class me as "clueless", so please show some respect.

 

@Mat:

- yes, using shared hosting (reseller)

- yes, I have looked for scripts inside the root folder, have found none. Logs show hacker's activity, it seems that they sent several emails to themselfs, I suspect MySql injection was used.

- if you need logs, I can provide them.

 

We'll move on with other plans, this post is just to let you know that hacking WHMCS is do-able (c'mon, twice in 6 monts...?), - and it's really up to you if you want to do something about it (apart from calling me clueless).

 

<<snipped>>

 

You have come onto this board claiming false statements, you have no proof or logging of certain events.

 

1. If you cannot determine how an attacker got into your system/script then you should NOT be in this industry.

 

2. For you to come onto these boards and claim that there was such an event such as described with no evidence or facts - <<snipped>>

 

WHMCS is an excellent product, if I were Matt I would ban you and disable your account from WHMCS <<snipped>>

[ckh]

The most common reason I've found for hacked accounts is a keylogger installed on the client's computer. The 'only' time I've seen a whmcs account hacked was because of a logger installed on the client's computer.

 

We're talking about 65 servers worth of clients.

[Wajdan]

You/And your client is more likely hosting whmcs on the same server you are using to provide shared/reseller hosting to your/client's end users. In this case, you server is un secure.

 

I always keep whmcs installation on the private server, where, there's no client. Just personal websites. Reduces hacking attempts and works very well for me.

[wsd]

I would be delighted to see the logs, because I do not believe that it is WHMCS has hacked directly, it may be that it is through another hole in the server's security.

[Xass1977]

Hi

 

Just seen this post, very funny. I had the exact same problem as this guy. I used whmcs on a reseller account. the server (not mine) got hacked via a script that looked like this :

 

/shop/ext/msbp.php

/shop/ext/php.ini

/shop/ext/black.htm

/shop/ext/sql.php

 

in one of their other clients osc sites. I know, not much to go on from a directory structure but hey, that s the host for you! We use several servers and, in turn, they were all compromised! This was an SQL attack that grabbed the WHMCS database ad gained access to details like passwords, etc. It was the SQL database that was the problem NOT WHMCS. Blame SQL, it can be a bit loose, lol!

 

The lesson is, if you use WHMCS on a shared account you have no control over what other rubbish is run on the server, who uses other accounts for what (IE hacking), etc.

 

We run our WHMCS on a different server to prevent any server downtime effecting the client support. We are now rethinking our strategy.

 

I would wholly agree with the above. Ive used WHMCS for 4 years and never been hacked through it!!!!

 

Xass

[easyhosting]

like other have said do not use WHMCS on a shared evironment and if possible place this on a separate server (closed) to that of your clients

[VN-Ken]

In addition to the above, make sure to move your download folder to the root directory of your whmcs account. This can be an open invite for a hacking in a shared environment.

[Host4u2]

Obviously a server hardening is required on his shared server. ANY vulnerable script, on any unrelated account on the server could have allowed access to his WHMCS passwords via root or mySQL. I wouldn't doubt that his host is using the standard port 22 for SSH and/or has port 22 enabled as only one example of many. Definitely NOT a WHMCS issue at all! As far as media attention goes, the only thing I get from these posts is that the poster needs to get educated.

[disgruntled]

In addition to the above, make sure to move your download folder to the root directory of your whmcs account. This can be an open invite for a hacking in a shared environment.

 

Good advice,

 

There are three settings in configuration.php

 

$templates_compiledir = "/home/account/whmcs/templates_c/";
$attachments_dir = "/home/account/whmcs/attachments/";
$downloads_dir = "/home/account/whmcs/downloads/";

 

As public_html is the webroot you can see this setup puts the troublesome files outside of harms way. this wont protect you from exploits but it will protect those locations from exploits. You will note i used whmcs as the directory for holding all three this was just for my own benefit i hate clutter so sitting the three in one directory in my account root makes sense

 

I think it is high time that WHMCS realised its full potential and came with the configuration and file structure as above. Most Webhosts using this will definitely build a website around it because it makes practical sense, you can easily make whmcs your whole hosting website ive done it.

 

Time to wake up Matt WHMCS is the whole deal so make it the whole deal. have that configuration permitted for those that cant for whatever reason use that structure not the other way around

 

I am sure you know php can do this

realpath();

 

 

PS i dont have downloads to i am not entirely sure that the downloads being there will work but the others do work ive received support requests with attatchments and ive been using that configuratin since V3.x

Edited May 19, 2011 by disgruntled

[robotronik]

The most common reason I've found for hacked accounts is a keylogger installed on the client's computer. The 'only' time I've seen a whmcs account hacked was because of a logger installed on the client's computer.

 

We're talking about 65 servers worth of clients.

 

Second that, the most likely cause of this is user negligence. Now you could get anyone who logs into that WHMCS to run a deep AV scan but as anyone with a background in security would know - Any half decent hacker will be clever enough to crypt their files hiding it from antivirus.

 

Now with little disrespect to you or your client, WHMCS is the backbone of much bigger companies - I doubt if they have found an exploit or injection point with WHMCS that they would be targetting a reseller based web host.

[rkatz0]

Forgive me! Your attitude stinks because you are a moron! You are a moron because your attitude stinks. Anyone that would bring charges against WHMCS with a shared hosting account on a server YOU DO NOT OWN does not know computers or computing, is a moron, has a bad attitude and this whole thing should be deleted (barring that good users have given good information that this guy obviously does not deserve!). So someone hacked OSC or WordPress (very popular exploits available years ago, and yestermonth) and have access to ALL MySQL DATABASES ON THAT SERVER! They can do whatever they want! No reflection on WHMCS, sorry!

 

(ps double double @robotronik's post, he was nice about it)

 

Me, peace, out!

Edited May 24, 2011 by rkatz0

[rkatz0]

ps - when you post stuff like this and it gets indexed in the search engines people that know computers actually get to know more about WHMCS because when they read your unfounded post if they have not used the product before and they read the feature list they will definitely want to try it! So thank your for enhancing the WHMCS product community and bringing more loyal customers to Matt and the team!

[easyhosting]

i second @rkatz0 post.

 

if its that bad why are you still using WHMCS. i suggest you stop using it before your rights to use WHMCS are removed by MATT and the team for abuse

[niels]

Regardless of technical details, it just doesn't make any sense.

 

If someone has found a way to compromise WHMCS he would not just hack 1 site, sit on it for 6 months, and then hack that same site again. Instead, he either reports his findings somewhere or sells the info to the highest bidder. In either case, a real hack would cause a lot more buzz than we're seeing right now.

Edited May 24, 2011 by niels

[Roger]

When claims like this surface.... well just makes my butt hurt. And there is considerable acreage there to hurt.