OurWebMedia Posted December 13, 2011 Share Posted December 13, 2011 Hello, I am quite concerned about something that has recently happened. I'll explain... The other day I received a support ticket and when I logged into WHMCS to look at it, I noticed as soon as I opened the Support area that I was prompted by AVG that there was a threat. It was contained and removed. I removed the support ticket and banned the IP address. Then today, I received another support ticket about 3 hours ago but was away and unable to get to a computer. I did notice though it was a PHP script when I was sent the notification. This time however, when I logged into WHMCS there was no support ticket open anymore. Then I see in the Recent Activity that its stating a file was uploaded to the "Downloads" area called "indexx.php" which wasn't there when I checked. I took a screenshot though of the recent activity and will attach it to this post, I've also attached a screenshot of the PHP script. So now I'm just going through my server reports and I just noticed there is a "WHM Root Access Notification" sent to my email. The IP address that was recorded in Recent Activity is the IP address that access WHM Root. Now I'm uncertain what to do and beside myself with fear that something is exposed to this guy that shouldn't be. I'm not sure what I should do or how I should proceed. Could someone please help me out? I am using version 4.5.2 and have updated the various security patches that were sent to me from WHMCS so I'm not sure how or why this happened. Should I restore a backup? What are the possibilities this guy could have done? I'm quite worried. Thanks anyone who can offer me some assistance. Kind regards, Bryce 0 Quote Link to comment Share on other sites More sharing options...
OurWebMedia Posted December 13, 2011 Author Share Posted December 13, 2011 Please note: All security fixes and patches have been updated as WHMCS sent out the notifications. 0 Quote Link to comment Share on other sites More sharing options...
WHMCS CEO Matt Posted December 13, 2011 WHMCS CEO Share Posted December 13, 2011 Hi Bryce, Do you have a ticket open with us on this? If not please do and send your WHMCS admin url & login details along with FTP access so we can have a look at your setup. Matt 0 Quote Link to comment Share on other sites More sharing options...
OurWebMedia Posted December 13, 2011 Author Share Posted December 13, 2011 Hello Matt, I appreciate your response. I wasn't sure which might get answered first so I opened them both. I have already consulted the situation with you via support and I appreciate every second you've spent with me. I am now in the process of updating to v5 and checking the server for any new files. Thanks again Matt, you're great! Bryce 0 Quote Link to comment Share on other sites More sharing options...
tsiedsma Posted December 13, 2011 Share Posted December 13, 2011 I also received support tickets like this. Someone is trying to exploit WHMCS via smarty by enclosing eval() code in {php}{/php}. 0 Quote Link to comment Share on other sites More sharing options...
w3designstudios Posted December 13, 2011 Share Posted December 13, 2011 (edited) It appears we were just affected as well. The user with the IP address '94.99.12.33' just submitted a support ticket with the following code: Code Removed. It appears to have created a directory on the server, gained access to the configuration file, replaced the admin user and I'm not sure about what else yet. Edited December 13, 2011 by w3designstudios 0 Quote Link to comment Share on other sites More sharing options...
laszlof Posted December 13, 2011 Share Posted December 13, 2011 http://docs.whmcs.com/Further_Security_Steps 0 Quote Link to comment Share on other sites More sharing options...
srinet Posted December 13, 2011 Share Posted December 13, 2011 We also got same support ticket opened from IP 94.99.12.33. day before yesterday. Since we install latest security patch there was no impact. Seems like 94.99.12.33 is a big attacker. ! 0 Quote Link to comment Share on other sites More sharing options...
rega Posted December 16, 2011 Share Posted December 16, 2011 I have also received , if we patched those security hole that WHMCS mentioned , everything is safe? Do I need to check anything ? I never opened those ticket 0 Quote Link to comment Share on other sites More sharing options...
tsiedsma Posted December 16, 2011 Share Posted December 16, 2011 If you applied the latest security patch, you are fine. I keep getting these too and its best to just block and delete. 0 Quote Link to comment Share on other sites More sharing options...
m8internet Posted December 16, 2011 Share Posted December 16, 2011 its best to just block and delete I was considering blocking, but I already have customers in those countries and on checking the IP addresses they use this is not possible 0 Quote Link to comment Share on other sites More sharing options...
Lawrence Posted December 21, 2011 Share Posted December 21, 2011 If you are running only your main site (and WHMCS) on the server, you can disable the eval() php function and prevent most of these types of hacking attempts from working in the first place. 0 Quote Link to comment Share on other sites More sharing options...
sparky Posted December 21, 2011 Share Posted December 21, 2011 If you are running only your main site (and WHMCS) on the server, you can disable the eval() php function and prevent most of these types of hacking attempts from working in the first place. Ahh... no you cant as the core whmcs uses eval by memory 0 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.