Jump to content

Hacker Alert

directiz

By directiz
in General Discussion

 Share

Recommended Posts

directiz Member

directiz

Posted
Posted

Hello.

We have been having an issue with a hacker that gained access to our whmcs and has been diverting funds from our paypal gateway. He is very sneaky. covers his tracks deletes DB details. I just thought I would warn others and share his paypal email address he was using and see if anyone else has had same issues from same attacker.

kurnia.hudaya@yahoo.com is his paypal address.

0
Link to comment
Share on other sites
easyhosting Senior Member

easyhosting

Posted
Posted
Hello.

We have been having an issue with a hacker that gained access to our whmcs and has been diverting funds from our paypal gateway. He is very sneaky. covers his tracks deletes DB details. I just thought I would warn others and share his paypal email address he was using and see if anyone else has had same issues from same attacker.

kurnia.hudaya@yahoo.com is his paypal address.

 

 

i suggest you

 

1) strenthen your WHMCS admin password

2) change the name of your admin folder http://docs.whmcs.com/Further_Security_Steps

3) report this person to yahoo so they can close down his yahoo email address.

0
Link to comment
Share on other sites
Roger Senior Member

Roger

Posted
Posted

This is sage advice for those good folks that are young in the hosting, computer, internet or network business.

 

Security is not a goal to attain. Security is an ongoing process that must constantly change to counter the ever evolving threats.

 

The weakest link in the security chain is the human, us. Social Engineering is a 50 cent phrase that means the bad guys will try to trick you into giving them what ever security data they can get.

 

A short story. I read this online somewhere. A rather large company hired a security consulting firm to test their network security defenses. The security company developed a small program that would contact their office or "call home". The program was loaded onto 7 thumb drives. The consultant then dispersed the thumb drives in the parking lot of their client as if they had been dropped.

 

As the client company employees came to work all 7 of the thumb drives were picked up by employees. In just a couple hours. 5 of the 7 thumb drives had "called home".

 

This is an example of social engineering. The security consultant tricked some of the client employees into installing what could of been a very malicious script on 5 of their computers. Human nature compromised the clients network.

 

We have to bear the burden of security for our "stuff". It's not cPanels job or WHMC's job. It's not even the data centers job. It's ours. When it's all done and over with. You will be standing alone amidst the rubble and smoke of your hosting company. Make wise security decisions, train and educate your staff. Stay vigilant.

 

-Roger

 

-Roger

0
Link to comment
Share on other sites
SilverNodashi Senior Member

SilverNodashi

Posted
Posted

I want to add something here as well.

 

Don't, ever, under any circumstances, install WHMCS in a sub folder on your company's website. Most new hosting companies run Joomla, Wordpress, Drupal etc on the main domain and have WHMCS in a subfolder so when a hacker uses a Joomla or Wordpress exploit to gain access to your hosting account, they can browse into the sub folder and see what your DB username & password is. Then they simply upload phpMyAdmin or something similar to the server, gain access to your WHMCS DB and wreak havoc.

 

 

Rather install WHMCS in it's own account on the server, with a totally random username and at least 200% - 400% more secure password - for many people this will mean you'll need to add capital letters, special characters and numbers to your existing easy-to-guess password.

In fact, it would be better it your WHMCS is on a completely separate server where you can disable FTP, SMTP, POP3, IMAP, move SSH to a secure port, install brute force protection, install good 2nd firewall upstream, etc - all stuff which would ultimately "break" shared hosting environments and make you want to enable these insecure and open (i.e. not encrypted) protocols to keep clients happy.

0
Link to comment
Share on other sites
SilverNodashi Senior Member

SilverNodashi

Posted
Posted
another little thing you can do is put a denyall in your htaccess for the renamed admin folder and then only allow Ip addresses of users that really need to be there

 

that's only going to be useful for people who have fixed IP addresses on their internet connectivity. Most startup / small hosting companies will work from home or have a DSL type connection with dynamic IP's.

0
Link to comment
Share on other sites
Roger Senior Member

Roger

Posted
Posted

There are many links in the security chain. It only takes one weak one for the bad guys to identify and then exploit. The more accounts and software that is on the same box as your WHMCS install. The more links in the chain you've added the more you will have to keep tabs on.

 

A very good place to start for security are the folks that produce CSF. I don't believe I can put a link in here without violating the rules. But most of their products are free. The important one that isn't free is the Mail Manager.

 

Many can not afford a separate box for WHMCS. Then seriously consider a VPS for your WHMCS install and secure it.

 

HTH's

-Roger

0
Link to comment
Share on other sites
mylove4life Senior Member

mylove4life

Posted
Posted

true, but you still can add wild cards for the first parts of the ip's and exclude ones from over seas ect...

 

that's only going to be useful for people who have fixed IP addresses on their internet connectivity. Most startup / small hosting companies will work from home or have a DSL type connection with dynamic IP's.
0
Link to comment
Share on other sites
easyhosting Senior Member

easyhosting

Posted
Posted
There are many links in the security chain. It only takes one weak one for the bad guys to identify and then exploit. The more accounts and software that is on the same box as your WHMCS install. The more links in the chain you've added the more you will have to keep tabs on.

 

A very good place to start for security are the folks that produce CSF. I don't believe I can put a link in here without violating the rules. But most of their products are free. The important one that isn't free is the Mail Manager.

 

Many can not afford a separate box for WHMCS. Then seriously consider a VPS for your WHMCS install and secure it.

 

HTH's

-Roger

 

below are a list of what CSF provide and their is only 1 you pay for as the rest are free

 

ConfigServer eXploit Scanner (cxs) - $50 (one-time fee)

ConfigServer eXploit Scanner (cxs) is a new tool from us that performs active scanning of files as they are uploaded to the server.

 

 

ConfigServer Firewall (csf) - FREE

A Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers.

 

 

ConfigServer ModSecurity Control (cmc) - FREE

This is an exclusive! and free! add-on product for cPanel/WHM. The product provides you with an interface to the cPanel mod_security implementation from within WHM.

 

 

ConfigServer Explorer (cse) (fomerly know as WHM File Manager/Console) - FREE

This is an exclusive! and free! add-on product for cPanel/WHM. The product provides you with a full featured Filesystem explorer and a Virtual Console to use within your web browser in WHM. It gives you root access from the top level of your disks and allows you to enter non-interactive commands and see the output.

 

 

ConfigServer Mail Queues (cmq) - FREE

This is an exclusive! and free! add-on product for cPanel/WHM. The product provides you with a full featured interface to the cPanel exim email queues from within WHM.

 

 

ConfigServer Mail Manage (cmm) - FREE

This is an exclusive! and free! add-on product for cPanel/WHM. The product provides you with an interface to the cPanel user accounts email configuration without having to login to their accounts. It is domain based rather than account based and allows you to do all the following from within WHM:

0
Link to comment
Share on other sites
mojahed Senior Member

mojahed

Posted
Posted
below are a list of what CSF provide and their is only 1 you pay for as the rest are free

 

ConfigServer eXploit Scanner (cxs) - $50 (one-time fee)

ConfigServer eXploit Scanner (cxs) is a new tool from us that performs active scanning of files as they are uploaded to the server.

 

 

ConfigServer Firewall (csf) - FREE

A Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers.

 

 

ConfigServer ModSecurity Control (cmc) - FREE

This is an exclusive! and free! add-on product for cPanel/WHM. The product provides you with an interface to the cPanel mod_security implementation from within WHM.

 

 

ConfigServer Explorer (cse) (fomerly know as WHM File Manager/Console) - FREE

This is an exclusive! and free! add-on product for cPanel/WHM. The product provides you with a full featured Filesystem explorer and a Virtual Console to use within your web browser in WHM. It gives you root access from the top level of your disks and allows you to enter non-interactive commands and see the output.

 

 

ConfigServer Mail Queues (cmq) - FREE

This is an exclusive! and free! add-on product for cPanel/WHM. The product provides you with a full featured interface to the cPanel exim email queues from within WHM.

 

 

ConfigServer Mail Manage (cmm) - FREE

This is an exclusive! and free! add-on product for cPanel/WHM. The product provides you with an interface to the cPanel user accounts email configuration without having to login to their accounts. It is domain based rather than account based and allows you to do all the following from within WHM:

 

These are not enough to secure your server/websites, i suggest you to hire an expert to manage & secure your server.

0
Link to comment
Share on other sites
easyhosting Senior Member

easyhosting

Posted
Posted
These are not enough to secure your server/websites, i suggest you to hire an expert to manage & secure your server.

 

never said they were.

 

these are the basics you need on a server. you could also get WHMXtra on your server as this has things like dosdeflate, rootkiller etc

0
Link to comment
Share on other sites
directiz Member

directiz

Posted
  • Author
Posted

Thank you for all your advice.

My WHMCS is a mess trying to clean it up.. there have been so many different admins that have installed many different times over the years..

 

Also I use cliffsupport.com for a while now.. I have been sending support tickets to them to look into this more and harden my server and securing everything. But they have been very slow to even respond to my support ticket taking days.. I dont know enought to fix and get a clean whmcs install done right. I think I might have to go with a different support company.

the few few partners I've had over the past 10 years where the admins... I would more with sales and clients.

0
Link to comment
Share on other sites
  • 1 month later...
denully Senior Member

denully

Posted
Posted

unless your logging on from lots of different IPs all the time. Then a good thing is to block access to your whmcs admin area, apart from your own IP(s).

 

add an htaccess file to your admin folder and write:

 

order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx
allow from xxx.xxx.xxx.xxx
allow from xxx.xxx.xxx.xxx

 

where xxx.xxx.xxx.xxx is your IP(s).

 

I have seen a few trying to get access, but so far i have had no one gain entrance.

but careful cause if they gain FTP access, they can still just modify the htaccess file.

0
Link to comment
Share on other sites
Dedigeeks-Sean Senior Member

Dedigeeks-Sean

Posted
Posted

One of the biggest problems is (what if your IP is dynamic) I mean, it will change constantly so it would not benefit those people without a static IP.

 

On the other hand, you are best creating a fake admin folder but rest assured there are tools out there that can actually scan for admin folders so you are really not going to be able to escape someone finding it even when you change the folder name.

 

Your best options are ensuring that you use secure passwords, ensure your service has proper protection from current exploits, prevent brute force attacks or ensure you have security measures in place to prevent them etc.

 

Unfortunately, there is no "real" protection when an attacker has the upper hand.

0
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated

  I accept