Jump to content

Got hacked? here is how you cleanup.


webKami

Recommended Posts

Here is a couple of thoughts from me...

 

1. Put a .htaccess file inside of admin folder preventing unauthorised ip's from accessing your admin section.

 

order deny,allow
allow from xxx.xxx.xxx.xxx
deny from all

 

If you dont have a fixed ip...get one.

 

2. Make sure your admin email can not be overwitten/updated.

 

The recent hacks also allowed the hacker to change the admin email, so all they did was to update the admin email and request new password. A good way to make sure that even if they do manage to update the admin email, is to put in a small sql statement inside the config file, which updates the admin email with your hardcoded email address, so even if they do manage to compromise the system a little and change the admin email, as soon as a page in whmcs is loaded, the admin email is overwritten again with your hard coded one.

 

3. Do not store root usernames and passwords for servers inside of WHMCS

 

If you are running dedicated servers, DO NOT under any circumstances store the root password/usernames for your servers. If you are using cpanel server, just create a reseller account in cpanel and store those reseller credentials inside WHMCS. Its very tempting for ease, to store your servers root details in cpanel, but the hacker can easily decrypt the password and access your server within seconds.

Edited by craigedmonds
Link to comment
Share on other sites

  • Replies 62
  • Created
  • Last Reply

Top Posters In This Topic

I was upgraded to 4.5.2 - my server is "secured" with a firewall and they left most of their files on my site. All my attacks were from countries in the middle east - Saudi Arabia, Jordan, Iran. The index.html left in my downloads folder was:

 

<p class="style1">hadi rahmani & hossien</p>

 

Despite this I'm locked out of my admin account. Reset passwords sent to me do not function. I've had to send in a ticket to get this fixed.

Link to comment
Share on other sites

Do I need to delete the folders?

"/home/username/whmcs/templates_c/"

"/home/username/whmcs/attachments/"

"/home/username/whmcs/downloads/"

 

Now i have all them in whmcsdata and this folder not in public and have permissions 777 by all.

 

Regards, Ramy

Link to comment
Share on other sites

Do I need to delete the folders?

"/home/username/whmcs/templates_c/"

"/home/username/whmcs/attachments/"

"/home/username/whmcs/downloads/"

 

Now i have all them in whmcsdata and this folder not in public and have permissions 777 by all.

Yes, remove those public versions. No need to keep them, and better not to have confusion later about which are which.

Link to comment
Share on other sites

I also recieved the dodgy support tickets. I have checked various things and have banned the (Arabian) IP that I found responsible in the activity logs.

 

I have changed the cpanel pw and the whm password but cannot find

 

1. the link to Server setup under General Settings

2. The tick box to only allow client registration with an order

 

Please advise

Link to comment
Share on other sites

After you have done that, create a file called nothnaks.php and put it in your hooks directory with the following code:

.

.

issue gone.

 

For those who like to keep things simple and silent, here is extended version of FlexiHost code. This will close the attacker's account and force logout :)

*REMOVED*

Edited by WHMCS Andrew
Code Removed
Link to comment
Share on other sites

Hi webkami,

 

This post is very informative. I got hacked exactly the same way.

 

I was using 5.0.2 at that time.

 

I went through each step to cleanup and carried it out.. Now am using 5.0.3. It was download fresh from WHMCS.

It went on fine, however i have a problem now.

 

When i login to Admin panel and goto Clients and then click on DOMAINS to see all the domain names registered by that partiular client, i get a blank page.

 

/admin/clientsdomains.php?userid=XX

 

It was working earlier before i was hacked.

 

Any suggestions on resolving this issue.?

 

P.S : Only other thing i did while cleaning up was to change the path.

Earlier WHMCS was installed on : http://www.my-website.com/ccms

Now it is installed on : http://client.my-website.com

 

Any help would be appreciated.

 

Regards,

Sri

Edited by iPH - Sriram
Link to comment
Share on other sites

  • 4 weeks later...

I am a victim of a hack attempt as well that started with the hacker registering as a user then came the support ticket with php

 

I had the latest update 5.0.3 when this happened and have followed all the extra security info in setup so should I be worried? How can I decode the php like ATHEiST did?

 

Thanks,

Chad

Link to comment
Share on other sites

If you received the ticket then you should be fine. The system wouldn't have displayed the ticket if you were still exploitable. (Not 100% confirmed, just going by what previous ticket hacks had in them when decoded.)

 

You can decode the ticket with any BASE64 decoder.

Link to comment
Share on other sites

I am a victim of a hack attempt as well that started with the hacker registering as a user then came the support ticket with php

 

I had the latest update 5.0.3 when this happened and have followed all the extra security info in setup so should I be worried? How can I decode the php like ATHEiST did?

 

Thanks,

Chad

 

Well, I just found out my system has been sending emails:-(

 

I closed the account but not the ticket and this is what the php came out when decoded:

$c3o = base64_decode

[snipped]

$red = fopen("templates_c/red.php","w");

fwrite($red,$c3o);

 

and this is the email the system is sending:

Your email to our support system could not be accepted because it was not recognized as coming from an email address belonging to one of our customers. If you need assistance, please email from the address you registered with us that you use to login to our client area.

 

I assume my system is sending that email because I closed the account?

 

There are no other admin users in database and i'm now looking for all kinds of stuff that stands out

 

I'm already running 5.0.3 so should I re-install it? will that work?

 

Again, I have followed all the security steps, rename of admin, move template_c and stuff

 

Thanks for all your help

Chad

Link to comment
Share on other sites

Very excellent!! Our entire network of servers was hacked and we couldn't figure out how that was done until we found shell files installed on WHMCS. It came right down to the root passwords being changed by hackers on our machines.

 

First thing is to remove the shell or hacked files. Then we installed the security patch:

http://forum.whmcs.com/showthread.php?p=206522

 

Then we looked at locking down WHMCS a bit more by restricting login to only certain IPs that way if the hacker got the information they need couldn't login anyway. We simply followed the steps in this document:

http://docs.whmcs.com/Further_Security_Steps

 

Then we locked down our servers and restricted shell access and root login to only our IPs.

 

Thanks for the post this helped us a lot. We used to operated under a reactive model (when something goes wrong fix it) and as a result of recent hacks have put a team in place to proactively monitor suspicious activity and it's interesting the things we're coming across. BUT, we have not been hacked again since.

Link to comment
Share on other sites

Sorry had to fix your message befor it makes sense.

 

I would think it's better if someoone opened a ticket if something happened rather than telling the world how they got in. This way WHMCS can tell THEIR customer how to fix it.

 

I have explained it before, I am not describing how they got in. There is a lot to it, besides staying quiet about a vulnerability hurts more. As I shared what I did some nice people shared more tips and it all helps making a securer system.

 

 

Edit: just realised you might just be quoting the original message and with some smiley (invisible), my message stands for the original commenter.

Edited by webKami
mis-quoted
Link to comment
Share on other sites

Actually I haven't really been hacked - or any of my accounts - but I can really say that it is much of a hassle.

 

Does anyone have any friends they can recommend to trace this hackers? And it would be better if they don't just accept money, but maybe gadgets as well, cause some of us have some extra gadge's but not money. :)

 

 

 

________________________

Philippines SEO Outsourcing

Link to comment
Share on other sites

  • 2 weeks later...
I was just hit this morning with this - didn't do anything though. Also decoded it - totally different file than red.php - but never made it onto my server.

 

IP was: 96.44.148.246

 

Just in case ya'all wanna block it..

 

doesnt matter what they call it lol

 

i had the problem a while ago of them getting on my admin folder so since then ive also added a directory password using cpanel seems to have done the trick

 

the bug is fixed as there was two attempts today to access my site one was a rather large sql querry to write out all the crucial details such as cpanel details, card details clients passwords etc.

 

another again just to upload a file but i tested them myself and it did nothing

Link to comment
Share on other sites

Here is a couple of thoughts from me...

The recent hacks also allowed the hacker to change the admin email, so all they did was to update the admin email and request new password. A good way to make sure that even if they do manage to update the admin email, is to put in a small sql statement inside the config file, which updates the admin email with your hardcoded email address, so even if they do manage to compromise the system a little and change the admin email, as soon as a page in whmcs is loaded, the admin email is overwritten again with your hard coded one.

 

I like the sql inside of config. Care to share the statement? I dont write sql or php very well :)

Link to comment
Share on other sites

I like the sql inside of config. Care to share the statement? I dont write sql or php very well :)

That wont do you much good as they already have had access to your configuration file to get the DB details and encryption hash.

Whats to say they just remove that code or alter it to make it a little easier for them!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated