Jump to content

Got hacked? here is how you cleanup.

webKami

By webKami
in General Discussion

 Share

Recommended Posts

  • Replies 62
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

  • WHMCS CEO
Matt Senior Member

Matt

Posted
  • WHMCS CEO
Posted
I have looked at the thread, but could not find a definitive answer on this.

If we we create a new ticket with that php code, and it does not do anything, then we are safe from this exploit?

The "exploit" which we released a patch for on December 1st last year, prior to it becoming widely known and exploited, was fixed by the patch so providing you applied that patch, or have upgraded to a release released since that time (V5.0.3 or later) then you will be protected against it.

 

Unfortunately anybody who has been affected by it either did not apply the patch as recommended, did not upgrade, or had other vulnerabilities in their system that allowed them to be compromised. So as long as you're up to date, there's no problem.

 

Matt

0
Link to comment
Share on other sites
Keiro Senior Member

Keiro

Posted
Posted

I have to admit, I giggled each time I saw those tickets... we've only had this done to us like 4-5 times... but each time, they were never able to get anything into our billing system.

 

It delights me because I like the feeling of being a smug ******* that made damn sure that there weren't many ways of getting into our system.

 

Likewise, nothing was affected, but I quad-checked just in case and had others check as well... all good.

 

Pretty sure with my habit of upgrading a month after an update's been released has helped keep it safe. Though, when I heard of the exploit, I immediately updated after that, so I was pretty safe anyway at that point.

0
Link to comment
Share on other sites
bear Senior Member

bear

Posted
Posted
yep it is i put this in place on my system when it kept getting hacked previously and since ive done this my admin folder is secure and no access has been gained :)

If you were getting hacked frequently before adding the htaccess restriction, something is definitely wrong with your setup/system/server. There are no known exploits that haven't been addressed (that I'm aware of) in WHMCS, so if you were seeing successful exploits against that, something else may be going on that definitely needs addressing.

0
Link to comment
Share on other sites
  • 1 month later...
Savoir Junior Member

Savoir

Posted
Posted

Here,

I have a new issue! Recently we got hacked, well our website didnt show any signs of hacking but I noticed that some of our clients servers were hacked and were being used to ddos. After investigation I figured out that the client which didnt change their server details from whmcs were hacked, which means whmcs was compromised or hacked. Also I saw unusual activity in whmcs as well.

 

 

Here are some examples:

http://screensnapr.com/v/mLPr6Q.jpg A Order with -ve balance.

and when browsed to the client profile, there is no product or service on their account.

 

Scrren Shot :http://screensnapr.com/v/SlzAKt.jpg

 

One more thing whenever we used the intelligent search option, WHMCS would ask us to re login. So I went ahead and replaced the whmcs files with fresh new ones and then we could not produce any more errors.

 

What surprises me is, We were using the latest version of whmcs and everything is secured.

We host our website with KnownHost and the VPS was secured as well, didnt get any notification of anyone enter the vps or logging to it. I did speak to KnownHost and they said they do not find anything suspicious in my account.

 

One Point I would like to mention is the templates_c folder was in the whmcs folder, so could this be the reason ? What is usually stored in templates_c folder ?

 

 

I am not sure how the hacker managed to hack it :|

 

 

 

Any Help or assistance would be great!

0
Link to comment
Share on other sites
  • 3 weeks later...
disgruntled Senior Member

disgruntled

Posted
Posted
How did it get there?

(we've removed the full code, no point giving that to someone that may be reading and want to use it on someone)

 

Its possible you were breached before patching or upgrading to v5.03

 

You need to run a fill virus and malware scan on your system, you can safely assume that this is not the only file planted into your system, As previously suggested, a full back up stored to one side, then fresh install, unless you can be 100% sure there is nothing else.

 

You can save the database as long as you go through it with a fine toothed comb and ensure there is nothing amiss.

 

Good luck, Patching now if you have not, or upgrading your install currently will not do anything for you other than block any further attempts, but you need to clean house first.

0
Link to comment
Share on other sites
disgruntled Senior Member

disgruntled

Posted
Posted

ah i see you already fixed it :)... did you happen to note the date of creation, or modify or last access? those can be useful to know when it was uploaded, if modified it means they have been in or used another script and last access of file if recent means they likely had all the info they wanted about your system.

 

my system was compromised a little while back, before the patch but i was unaware, i just deleted the original ticket because it looked like it did nothing, i expected it to have displayed something. that was my error.

 

Anyway the bottom line here, They had alsorts of info on my system, even down to my domain api access keys and the like. so you can imagine the havoc this can cause, it isnt just your installation you need to protect and password reset, its anything that was enabled and configured in your whmcs installation. Domain accounts, all servers, gateway accounts, anything that uses the email/username and password needs to be sorted out.

 

Thats the real reason they want these attacks to go undetected, they can then have unlimited access to everything you use in your daily business.

0
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated

  I accept