Got hacked? here is how you cleanup.

[webKami]

Got Hacked?

If you see an unauthorized admin login in your WHMCS install, or your WHMCS installs starts behaving all funny, the chances are your installation has been compromised.

 

I got hacked, what to do?

 

For one of our clients, an attack happened before they could apply the recent security patch (version 4.5.2)

Looking through files I can see that the attack happened by upload of a PHP file attached with a ticket. It then carried on to add code (an uploader) to config file, which in turn then uploaded few scripts in templates_c. Beyond that it tried and wrote a few malicious script in other directories on the domain. I also noticed there were a few zip files that had malware in it. Looking at all this you can say the main purpose is to inject malicious code in your website and install malware on your visitor's machines.

 

Here are cleanup steps we took after having word of advice from WHMCS & our hosting support.

 

1. Start with a cool mind, do not panic. Take the backup of whole system if possible and put that aside.
   
   
2. Take the DB backup, download and test it by importing in local MySQL. Untested backup is not considered backup.
   
   
3. In other sub-folders hunt and delete recently written malicious files or unknown zip files.
   
   
4. Take the files backup, move it to a folder above public_html / httpdocs
   
   
5. Upload a fresh copy of WHMCS of same version or later
   
   
6. Clean your infected config file, there will be two obvious sections in it. Leave the first section that only has values in it. Delete the later section that has base64 encrypted or any other code in it. If unsure just create a new config file with same old DB values.
   
   
7. Do your regular upgrading steps (changing name of admin folder, setting permissions etc)
   
   
8. Finally browse to /admin (or renamed folder). If you have uploaded a newer version it should upgrade
   
   
9. Install this security patch:
   http://forum.whmcs.com/showthread.php?p=206522
   
   
10. If you want to copy your template / lang or any other file from infected folder do manually check each file (specially files with new timestamp) to remeove any malicious code before copying.
    
    
11. Change all passwords, including but not limited to admin, super admin, hosting, mysql, email. You will have to update your config once you change MySQL password.

 

Above is a very rough list of what I did, your list might differ but main points are to make sure all files are fresh or cleaned.

 

I hope this information helps somebody else. Feel free to ask any questions here.

[CavalloComm]

I would think it's better of someoone opened a ticket if something happened rather than telling the world how they got in. This was WHMCS can tell THEIR customer how to fix it.

[webKami]

I would think it's better of someoone opened a ticket if something happened rather than telling the world how they got in. This was WHMCS can tell THEIR customer how to fix it.

 

I appreciate your concerns however I have not explained how to hack it. I have briefly detailed signs of a hacked system. This way you can identify if your system is hacked. My main post is about how to cleanup after such an event.

 

Rest assured nobody can hack WHMCS by just reading this post, besides that issue is fixed in patch and I am just raising awareness.

[FlexiHost]

After you have done that, create a file called nothnaks.php and put it in your hooks directory with the following code:

*REMOVED*

 

Find a nice image of a virus being downloaded to the users computer, upload it to your images directory - volla - issue gone.

Edited February 23, 2012 by WHMCS Andrew
Code removed

[RebelOne]

After you have done that, create a file called nothnaks.php and put it in your hooks directory with the following code:

 

hahaha.... awesome...

[Grizzlyware Josh]

After you have done that, create a file called nothnaks.php and put it in your hooks directory with the following code:

*REMOVED*

Find a nice image of a virus being downloaded to the users computer, upload it to your images directory - volla - issue gone.

 

Haha, love it!

Edited February 23, 2012 by WHMCS Andrew
Code Removed

[FlexiHost]

It is quite funny seeing people end up on that page ;-)

[remcom]

I would think it's better of someoone opened a ticket if something happened rather than telling the world how they got in. This was WHMCS can tell THEIR customer how to fix it.

 

I would disagree with this. One of my complaints with the way WHMCS does patching is not notifying us on what they patched. They released a patch and said it was a serious threat and said 0 about what it is. I understand the concern over others seeing the exploit and attempting to use it but security is not better if you hide the exploits. Microsoft tried this for years and well, MS Blaster anyone?

 

Some of the exploits I have been seeing (not affecting me since I am patched) have been deleting the attachment and all trace. This could be bad if this was done prior to the security patch released. You could have been exploited and not even know it. This is why knowing what the exploit does is important.

[sparky]

There is quite a few extra things that you should be doing as well like

1) change your whmcs admin passwords (all)

2) check the DB in tbladmin for a blank admin user

3) change all of your domain/ssl reseller accounts passwords

4) reset all of the clients passwords

5) advise all of your clients that it is possible that their CC details have been compromised

6) change ALL server root and reseller passwords

7) change email passwords

 

That would cover the main things... I came accross this helping one of my clients that got hacked. Luckily he didnt have many clients on his system.

[webKami]

This is class and hilarious, however in all seriousness could mean whoever is trying the hack might get pissed off and keep your IP on their list to try something else in future. I would just display error 500 or white screen of death.

 

After you have done that, create a file called nothnaks.php and put it in your hooks directory with the following code:

*REMOVED*

 

Find a nice image of a virus being downloaded to the users computer, upload it to your images directory - volla - issue gone.

Edited February 23, 2012 by WHMCS Andrew
Code Removed

[webKami]

Good points in there, I am putting this up in the OP so it can be more visible.

 

There is quite a few extra things that you should be doing as well like

1) change your whmcs admin passwords (all)

2) check the DB in tbladmin for a blank admin user

3) change all of your domain/ssl reseller accounts passwords

4) reset all of the clients passwords

5) advise all of your clients that it is possible that their CC details have been compromised

6) change ALL server root and reseller passwords

7) change email passwords

 

That would cover the main things... I came accross this helping one of my clients that got hacked. Luckily he didnt have many clients on his system.

 

P.S. Actually where is my edit button for OP?

Edited December 22, 2011 by webKami
Edit button?

[akboselk]

After you have done that, create a file called nothnaks.php and put it in your hooks directory with the following code:

*REMOVED*

 

Find a nice image of a virus being downloaded to the users computer, upload it to your images directory - volla - issue gone.

 

Hi FlexiHost

 

I created this type of page and uploaded to hooks folder , But how can I check its output ? Can you mentioned it step by step please ?

 

Thanks

Edited February 23, 2012 by WHMCS Andrew
Code Removed

[FlexiHost]

Just go to post one of the tickets yourself - same as they do

[michelle]

Thanks for sharing!

[ADz83]

I had the attack support ticket, however I have gone over my hosting and it doesnt look like any files where uploaded to system or added to template_c.

 

I also used a base64 decoder to decode the string and found teh filename of teh file that was supposed to be uploaded and it wasnt on system.

 

However I did notice that the attacker or somebody else, did manage to find my admin url (a really big random one) and even my Admin username and attempt to sign in (and failed).

 

I have changed all my username and password aswell as db passwords etc.

 

 

Any ideas how they managed to know my username/admin url without compromising my system?

 

Any info/advice would be much appreciated.

[TommyK]

I had the attack support ticket, however I have gone over my hosting and it doesnt look like any files where uploaded to system or added to template_c.

 

I also used a base64 decoder to decode the string and found teh filename of teh file that was supposed to be uploaded and it wasnt on system.

 

However I did notice that the attacker or somebody else, did manage to find my admin url (a really big random one) and even my Admin username and attempt to sign in (and failed).

 

I have changed all my username and password aswell as db passwords etc.

 

 

Any ideas how they managed to know my username/admin url without compromising my system?

 

Any info/advice would be much appreciated.

 

You are probably hacked, but they cleaned up after themselves. Could also be that you have a trojan in your computer, but it's more likely that you have been hacked.

[HSc]

I've had 3 hack attempts in the past 2 days. Same support form email as others.

Two tickets were submitted within 1 minutes of each other today, then they closed their own tickets.

 

I'm running the latest release (5.0.3).

 

I can't see any Admin activity or changes. Configuration file hasn't been touched. Only templates_c directory has new files timed with hack attempt. Is there anything in the templates_c directory that should cause concern?

 

Have I missed anywhere to look?

Is there anything further I should do or just put up with it?

 

 

Thanks and Merry Christmas, Happy Holidays!

HSc

[CavalloComm]

As stated above, they load a script that can surf your directories and download anything they want. Since no one agrees with me about posting "how" this is done, feel free to PM me.

 

MOST IMPORTANT! Your hosting provider should have the latest patches and antivirus. Even Clam picks up this hack.

[HSc]

As stated above, they load a script that can surf your directories and download anything they want. Since no one agrees with me about posting "how" this is done, feel free to PM me.

 

MOST IMPORTANT! Your hosting provider should have the latest patches and antivirus. Even Clam picks up this hack.

 

How can I determine if they loaded a script?

What exactly am I looking for?

Configuration file doesn't have anything added to it.

 

Thanks.

[NickoLabs]

Same issue with my system this morning.

 

Nothing seems to have been compromised.

 

I tested the support request system (I did to myself what the hacker did ), it doesn't decode the {php} tags (at least, on my hosting service). So my config file wasn't loaded or compromised.

Upon reading the Raw Access Log (from the IP of the support querier), he didn't access any other file after this attempt... at least, up to now.

 

Keep me posted on this current issue.

Edited December 25, 2011 by NickoLabs

[Ramy74]

Hi Guys, I had 2 hack attack days ago with WHMCS v.4. After first attach I did change all my passwords and even usernames also made a .htaccess and .htpasswd for admin folder. But it didn't help even this.. This hacker team entered the admin area anyway. I saw also several login in my admin page with forginer IP's below:

 

31.214.144.222

188.53.190.145

31.166.44.242

46.153.94.16

80.90.168.43

2.89.87.211

84.235.73.253

89.123.6.159

93.158.147.8

213.186.127.7

 

Anyway , i already blocked them to access my server also deleted all WHMCS.

Edited December 26, 2011 by Ramy74

[striddy]

Hi Guys, I had 2 hack attack days ago with WHMCS v.4.

 

Have you applied the patch yet?

 

http://forum.whmcs.com/showthread.php?p=206522

[Ramy74]

so you think it will help?

[NickoLabs]

so you think it will help?

Greetings

 

Most hacks are done by robot initially, in order to test the most recent software flaws. The support ticket some of us got is proof of that; even if it didn't do anything (at least on my side), they TEST it either way.

 

Should someone keep an outdated WHMCS version installed, they are at risk.

 

It is very, VERY easy to find WHMCS install, simply by using google Search engine so after that, it's up to robot to test the common flaws.

 

So keeping an installation up to date is the most easiest way to prevent hack/defacement.

 

 

Edit: I think I found the patch that actually fix this support ticket thing (it fixes the flaw, not the people trying to test it).

http://forum.whmcs.com/showthread.php?t=42121

4.X Security Patch

 

A potential security issue has been discovered whereby it may be possible for a malicious user to inject a specially crafted combination of variables leading to unexpected results. The issue revolves around the Smarty templating system and template related processing.

The patch is said to fix some Smarty templating stuff, which is the whole point behind the usage of {php} tag in the support ticket. I strongly suggest you keep your installation up to date, at all time. Edited December 26, 2011 by NickoLabs

[TommyK]

so you think it will help?

 

It will help. However, your installation is now already hacked, and I suggest you make a complete reinstall and make sure your whmcs database have no extra admin users. Change passwords for all clients and the keys/root passwords to your servers.