Jump to content

User from Jordan attempts hacking support


Recommended Posts

I was just hacked by and sent the code to WHMCS. They change my Paypal email to theirs.

The code was put in a sales ticket and then they were in. Don't know how since I do not no code but they got in. Anyway just waiting to hear back from WHMCS. They did it twice so far...........



Link to comment
Share on other sites

We've had several attempts with the support tickets hack since 8 December, fortunately we were patched and so far they have not been able to get in.


It looks like they are actually trying to reset the admin password and gain access to whmcs that way.


Yes. I decoded the code too. It just happened now again. They put support ticket with php base64 coded text. It contains few lines of code basically to connect to mysql using data from configuration.php and reset admin password.


The attack was from : (Saudi Arabia)

Link to comment
Share on other sites

  • 2 weeks later...

They left a lot of code behind. I upgraded my site and, despite doing so, can't login or reset the admin password. Using phpmyadmin I don't see the account they tried to upload. What I provided is not the code they used - it's just a small snippet. It appears they try to exploit the downloads and templates_c directories and trigger it with a support ticket.


The larger problem is that I cannot login with any admin, even after removing the code. Resetting the passwords don't work either.


Note - not that it means anything, but every hacking attempt came from countries in the middle east - Jordan, Saudi Arabia, Iran.

Edited by slinky
Link to comment
Share on other sites

can't login or reset the admin password

Using phpmyadmin I don't see the account they tried to upload

The larger problem is that I cannot login with any admin, even after removing the code.

The script, when operated, deletes the superuser account

That is also why you can no longer login


You should be able to reset your own account back to superuser


If not, then you need to create a new account (which you can later renumber back to number 1 if this is what it was originally) with superuser access


Once you've done all this change the passwords

Then replace all the files dated after the exploit date (from the support ticket)

Then change the passwords again


Sounds to me like you were running default names for folders, etc

Try using other names for these folders

Link to comment
Share on other sites

Thanks for all the info - actually the problem for me ended up being a cookie issue. After clearing the browser everything worked fine. The problem started after the attacks began.


These jerks are uploading files into the templates_c directory and downloads. Not sure what can be done about this but it appears the attempts aren't working since the installation is still secure. But I'm getting now a few of these a day and it's getting ridiculous. I really hope a bounty can be put out some day on people like this and make it worthwhile to hunt them down... a nice dream.

Link to comment
Share on other sites

  • 2 weeks later...
We reported an IP from Jordan to Intelligence service and cyber crime in Jordan :)




I just found it funny that some of these guys actually left their identity in these files. They all want to get some credit for being hackers, I guess... and that leaves you... "appreciated."

Link to comment
Share on other sites


Just got a support ticket - see screenshot here: [LINK REMOVED]


Is this the same thing as what you are discussing here? Do I need to be concerned?

I am all up to date with the latest patches and versions...


yes, it's same with me...recently I got the ticket support with evalbase:

Ticket ID: 442171
Subject: {php}eval(base64_decode <<snipped>>


Whether is the issue/ hole with the submit ticket on WHMCS?

Link to comment
Share on other sites

these are not just from Jordan, ive had them from Spain, Bulgaria, Jordan, UK etc.


1) block the IP in WHMCS

2) using a whois locate the DC of the IP and if you want report this to them


i reported 3 to DimeNOC as this is where the IPs showed as from and got positive replies back that they would take action on the IP owners

Link to comment
Share on other sites

So as long as you have that patch, you are fine i take it.

I should be ok.


@person above me - it is hard to know if it is the same thing if no one has the ability to see it. By doing a screenshot it makes it harder for anyone to copy, plus I would be deleting the screenshot from the server once I know one way or the other.

Edited by MordyT
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated