phpMyAdmin hacked

[Alfahmad]

this is big problem with WHMCS

 

if some body has an access to phpmyadmin .. and can reach the data base

 

he can see the passwords written in the data base

 

and he can hack all tour servers .. plus all of your domain names accounts

 

ex:

 

directi Username ****@****.com

Edit Delete 2 directi Password dfhjeyf874e

Edit Delete 3 directi ParentID 1

Edit Delete 4 directi CustomerID 45456756

Edit Delete 5 directi DemoMode

Edit Delete 6 enom Username *****

Edit Delete 7 enom Password 45t87d_rg

Edit Delete 8 enom TestMode

 

also server passwords .. ect .. ect ..

 

those passwords should be encrypted ..

[trine]

If someone has access to your phpmyadmin, chances are they already have the capability to do other damage anyway.

 

Problem here is the manner in which WHMCS connects to the remote server is a plain text password, regardless if it is using SSL or not. So it necessitates two-way encryption. So, if you have access to your server then you would also be able to decrypt the password in the mysql tables as well.

 

I realize that you are only talking about the storage of the password, but you need to look at ways to securing access to the server and all of it's resouces and scripts first. (IMO)

[trine]

Also, you state "servers has been hacked coz WHMCS"?

 

Can you provide additional details that it was because of WHMCS? Because, I'd be interested.

[Alfahmad]

Thanks Trine

 

 

a three servers

plus an account with DirectI

and an account with Enom

 

has been hacked ..

 

because some body has an access to phpmyadmin ..

 

will if the hacker hack only the web site .. would me much better the hacking three servers .. and 400 accounts on them .. plus domain reseller account .. only because the WHMCS store the password as clear text file on the data base

[trine]

That's not good.

 

But I was getting more at the fact of "how" they got your phpmyadmin password to begin with.

 

And, accordingly, how do you know it was through phpmyadmin and not a std SELECT query, where the server security is weak?

 

Also, was the server that was hacked a stand-alone server, only used by you to bill, or does it also have shared hosting on it?

[Alfahmad]

Regardless if there is server has been hacked or no ..

 

the important point is ..

 

if some body has an access to WHMCS .. as full admin ..

from server managements he will have an access all servers listed there just by on click .. there is no any relation with server security with this

 

and on other hand ... if the hacker has an access to phpmyadmin .. he can hack also all of your Domain accounts only because the hacker can list what ever password you have ..

 

regards,

 

Ahmad

[trine]

Ahmad, absolutely! ... but having admin access to virtually any hosting admin software would grant you the same. ... so you should always keep some things in mind to protect you:

 

1. use a really difficult password that you don't use elsewhere

2. use https for everything

3. make sure you don't have any virii or keylogges on the remote, connecting PC

4. secure your server

5. don't run WHMCS in an untrusted environment. a dedicated server, for you only is the best policy.

 

etc.

 

Sure encrypting the passwords will make it more difficult, but anyone that has enough knowledge would still be able to get your passwords, since then it will require 2-way encryption.

 

Again, anyone with access to the server can get this info.

 

I'd still be interested in exactly "how", since this may help all WHMCS users if there really is a threat.

[Alfahmad]

I think the problem is easy log in to WHMCS

 

and this should be secured more ..

[SpookedOut]

Alfahmad: Of course If somebody has access to phpMyadmin they can access the WHMCS database absolutely and any others for that matter. WHMCS is secure, if you make it secure.

[Iceman]

Just a thought on this topic...

 

Is there any need for the passwords to access the servers to ever be viewable to humans? Sure they need to be stored in the database or somewhere so that WHMCS can connect to the servers, but is there really any need for easy viewing or decrypting of the password at any stage by an end user or tools such as phpMyAdmin?

 

Why not leave the passwords permanently encrypted, to be used/decrypted by already secured WHMCS code when it talks to the servers?

 

Cheers,

Paul

[Alfahmad]

the hacker has an access first to WHMCS

then he logged in to server management

then he logged in to WHM

then he looked as root ..

then he changed the password of particular site

then he looked to this site

then he looked to phpmyadmin

 

so the first point was from WHMSC easy log in ..

 

is there any way to increase the security at this level?

 

regards,

 

Ahmad

[trine]

the hacker has an access first to WHMCS...

 

So you are saying he first was able to log into your WHMCS. In other words, you are also stating your password was compromised....

 

Do you know how he got your WHMCS password?

 

Like I said before:

 

1. use a really difficult password that you don't use elsewhere

2. use https for everything

3. make sure you don't have any virii or keylogges on the remote, connecting PC

4. secure your server

5. don't run WHMCS in an untrusted environment. a dedicated server, for you only is the best policy.

 

Sorry, I am not trying to dispute what you say, but simply encrypting the password won't make much difference if you are already compromised.

[SpookedOut]

Alright... I believe he went into phpmyadmin, after changing the password in WHM right?

[Matt]

this is big problem with WHMCS

 

if some body has an access to phpmyadmin .. and can reach the data base

No, the big problem here is the "some body" having access to phpmyadmin. If they've accessed your phpMyAdmin, they've already hacked into your server and have access to it.

 

he can see the passwords written in the data base and he can hack all your servers

Wrong. ALL passwords are encrypted in WHMCS except for those for domain registrars. They therefore cannot get access to your servers by looking at the database of WHMCS. They also cannot get your admin login to WHMCS from the database as that is encrypted. Only if they login to your WHMCS system can they see the unencrypted forms of passwords, and if they get into your WHMCS, that is because your password is weak and they've been able to guess it. Three incorrect logins and they get banned for 15 minutes so they can't repeatedly try and guess your password.

 

so the first point was from WHMSC easy log in ..

That's not the point at all. How exactly is WHMCS easy to login to? As you said yourself in your first post, somebody hacked into your phpMyAdmin - not WHMCS.

 

Matt

[trine]

It's quite futile to say WHMCS was hacked when in fact something else was compromised.

 

Anyway, as I have repeated before "how" it happened will give a better understanding of what you can do to prevent it from ever happening again .. included sharing it with other users.

[swdomen]

the hacker has an access first to WHMCS

then he logged in to server management

then he logged in to WHM

then he looked as root ..

then he changed the password of particular site

then he looked to this site

then he looked to phpmyadmin

 

so the first point was from WHMSC easy log in ..

 

is there any way to increase the security at this level?

 

regards,

 

Ahmad

 

I don't think that a hacker go through all those steps to hack your databases. If your server is not secured enough then whmcs will never be secured on that server.

[Alfahmad]

will try to go through those steps and then you will hack the whole servers .. what ever servers linked twith WHMCS .. plus you will hack any reseller domain name account ..

 

you will have an access to all of those .. if you hack WHMCS

 

it's true that you should protect your WHMCS account .. but still since WHMCS will deal with all of my servers plus all of our domain reseller account .. the log in should more harder ..

 

how could we use https log in ! with whmcs ?

BTW I love WHMCS ..

 

regards

[Adam]

Alfahmad,

 

I highly suggest that you hire a server management company (like my self) to perform a bunch of security checks on your server. I deal with servers monthly that have been hacked. Most hacks are done via root kits where someone on the server has a folder that has a CHMOD of 777 or and their PHP script are un-secure and upload these root kits. Once they upload these root kits, if the server is unprotected they can virtual deleted everything.

 

By having folders of a CHMOD of 777 anyone in the world can write into these folders, hence the reason CHMOD of 777 stands for world-writable. One quick and easy step is to install suPHP or PHPsuEXEC with Apache/PHP so you won't need a CHMOD of 777 and yet still have programs write to folders and files.

 

You can contact me more about my services in to secure your server.

 

 

 

As Matt has stated, ALL passwords are encrypted in MySQL. So even if the hacker got into PHPmyAdmin all they would see is the encrypted part of the password which is useless.

 

To get HTTPS you will need to get a SSL certification. You can go to http://www.namecheap.com and get them for around $15.00 a year. You install it on your server, which is something my services also does as well.

 

 

Also, what do you suggest that WHMCS should do to make the login harder?

 

 

From,

Adam

[Alfahmad]

Thanks ADAM

 

we deal with more then 25 servers .. and when some body hack our WHMCS account he hacked 25 server plus DirectI and Enom accounts

 

what I did in my first post is copy and past from phpmyadmin .. the passwords you can see them .. and they are non encrypted ,, this how the hacker can get an access to DirectI and Enom accounts

 

CHOMD 777 disabled

we don;t run CGI

phpEXE run on our servers

Suchion

we do run virus and trojan scan in daily basis

Register global disabled on our servers

we have port limit to IP address in SSH lo gin

 

with all of those .. if some body has an access to WHMCs admin account .. nothing of all above features will help you .. and 25 servers will hacked in 5 min's

 

some thing that I can thing about .. log in to server management from admin area should has other password !! at least some more protections .. where we can feel safe

 

This is an open discussion .. for every body how to improve the security in WHMCS

 

regards,

[PPH]

It's harder to access your whmcs account then it is to hack any other part of any of your servers. If you have a good password, a hacker would have to keep changing ip's to keep trying different passwords. They would have a better chance hacking your mysql in my opinion.

[MACscr]

we deal with more then 25 servers .. and when some body hack our WHMCS account he hacked 25 server plus DirectI and Enom accounts

 

Dangit, stop saying they hacked your WHMCS! They didnt, they hacked your mysql db. If you have proof that they got in through WHMCS, then so be it, but from what you have posted, they didnt get in through whmcs.

[Alfahmad]

MACscr

 

 

I have the log file .. where the hacker .. first hack my Email

then he just click on forget password .. and log in WHMCS as admin

and then he hacked 25 servers .. plus enom and directI

 

I have the log file ..

 

I know the first step was my Email .. but it's that easy if some body access my Email .. he will hack 25 servers plus two domain reseller accounts .. only coz WHMCS?

 

what I am trying to think of .. we should put more protection in server managements plus the way we can access it from WHMCS .. this is all what I am asking ..

[bear]

I have the log file .. where the hacker .. first hack my Email then he just click on forget password ..

This would be true of any management script like this, not just WHMCS. Every one I've used, MB, WHM*P, PHPManager, NeoManager, CE and PHPCoin have a way to log in to these things. If you have weak passwords on your email, your server or indeed anywhere that could be used against you, you're vulnerable using any of the above.

[PPH]

MACscr

 

 

I have the log file .. where the hacker .. first hack my Email

then he just click on forget password .. and log in WHMCS as admin

and then he hacked 25 servers .. plus enom and directI

 

I have the log file ..

 

I know the first step was my Email .. but it's that easy if some body access my Email .. he will hack 25 servers plus two domain reseller accounts .. only coz WHMCS?

 

what I am trying to think of .. we should put more protection in server managements plus the way we can access it from WHMCS .. this is all what I am asking ..

 

Just what was said earlier. It was a failure due to another service that was not secured properly. If they hacked your email, they could have just as easily used it to compromise the other systems without a copy of WHMCS anywhere!

[Alfahmad]

So, why we don't add more features .. even if your email hacked ..

 

somthing else needed to hack your 25 servers .. and your domain reseller accounts ..

 

a new layer of protection

 

I do agree there is no 100% preotections .. but as many protection we have as good we are