Blocking Malicious Email Attempts in Tickets

[davet]

About 5-6 times daily someone (always from different a IP) opens a sales ticket with code similar to the following within the body of the message:

 

{php}eval(base64_decode

 

I block and delete the ticket but they just keep submitting sales tickets with different input strings and from different IPs.

 

I understand they are trying to hack into my site. Is this something I need to worry about?

 

I've seen the attempts increase within the last month. I've never had this problem before. Is there any way to prevent them from submitting the ticket at all if they are including things like "{php}eval(base64" within the ticket?

Edited December 24, 2011 by bear
No need to post the actual exploit, yet again

[laszlof]

Did you apply the security patch released earlier this month? If so, you dont have much to worry about. The exploit was released at the beginning of December, which is why you are seeing a lot of it.

[Lawrence]

hacking attempts are always something you should be concerned about. One thing we did, because our WHMCS is on a server by itself, is disable the eval function in php.ini using the disable_functions setting. It will stop these hacks right in their tracks.

[Sliffer21]

About 5-6 times daily someone (always from different a IP) opens a sales ticket with code similar to the following within the body of the message:

 

{php}eval(base64_decode

 

I block and delete the ticket but they just keep submitting sales tickets with different input strings and from different IPs.

 

I understand they are trying to hack into my site. Is this something I need to worry about?

 

I've seen the attempts increase within the last month. I've never had this problem before. Is there any way to prevent them from submitting the ticket at all if they are including things like "{php}eval(base64" within the ticket?

 

 

Im getting the same issue and I patched when it came out and have been told it fixes this problem but now its just becoming a bother. I get several tickets a day with this attempt. Its just plane annoying and its sad because I got 3 emails on Christmas with this attack. Its sad that people don't have anything else better to do. I hope WHMCS comes out with a patch just to prevent tickets from being opened with this patched exploit.

[Sliffer21]

Hey I got it just block it go to WHMCS and then Setup >> Support >> Spam control and paste {php}eval(base64_decode and block it as phrase.

[TommyK]

Hey I got it just block it go to WHMCS and then Setup >> Support >> Spam control and paste {php}eval(base64_decode and block it as phrase.

 

Does not work with tickets created by submitting a form. Install the patch and you are safe anyway. If you dont want to see the tickets, just create a hook to stop them.

 

/includes/hooks/stophack.php :

{REMOVED]

Edited March 8, 2012 by WHMCS Andrew
Removing code

[raeyo]

Also got 2 hacking attempts via ticket (base64) - from Devil Iraq and red virus (... yea right)

 

Installed the latest patch - fingers crossed they can't get in...

[TommyK]

Also got 2 hacking attempts via ticket (base64) - from Devil Iraq and red virus (... yea right)

 

Installed the latest patch - fingers crossed they can't get in...

 

If you have had hacking attempts before you applied the patch you should take all actions you can to make sure you are safe.

[TommyK]

Does not work with tickets created by submitting a form. Install the patch and you are safe anyway. If you dont want to see the tickets, just create a hook to stop them.

 

/includes/hooks/stophack.php :

[REMOVED]

 

Hm, for some reason I can't save my email templates if I enable this hook, anyone know away around that?

 

/Tommy

Edited March 8, 2012 by WHMCS Andrew
Removing code

[Vijay]

I guess your email templates must contain that code. You can rename the hook file extension temporarily to .php.bak to disable it when you need to edit the email templates, and once you finish editing just rename the file extension back to .php

[supernix]

Glad to see this was dealt with. I thought I was the only one that got one of those stupid messages.

[SilverNodashi]

I guess your email templates must contain that code. You can rename the hook file extension temporarily to .php.bak to disable it when you need to edit the email templates, and once you finish editing just rename the file extension back to .php

 

No,

 

You can't edit any email templates when using that actionhook.

 

Here's a "stock WHMCS template" which got caught by the hook and the error was displayed:

 

 

 

<p>Dear {$client_name},</p>
<p>You requested that you be reminded of your Client Area Login Details. They are as follows:</p>
<p>Email Address: {$client_email} <br /> Password: {$client_password}</p>
<p>You can login at {$whmcs_url}</p>
<p>{$signature}</p>

[xboss]

This is for open support ticketing from an unregistered user? I dont think I want to allow unregged users to use the whmcs ticket system. Seems like the best plan eh?

[wsa]

This to much already once you got that check your files b/c i find 2 file on attachment folder

[supernix]

Do you think that just disabling the ability to submit tickets without an account will work for that?

[davet]

Do you think that just disabling the ability to submit tickets without an account will work for that?

 

You wouldn't want to require registration for Sales tickets. We have customers now that complain they have to login to open Support and Billing tickets. I can't imagine how many potential customers we'd upset if we had to require registration just to contact us with Sales questions.

[supernix]

You wouldn't want to require registration for Sales tickets. We have customers now that complain they have to login to open Support and Billing tickets. I can't imagine how many potential customers we'd upset if we had to require registration just to contact us with Sales questions.

WOW that is bad. I have no doubt that this the case with many of customers. I didn't really think about that part of the equation.

 

I wish they could get better captcha to help thwart the robots.

[madsere]

How about extending the '{php}' to '{php}eval(base64_decode' - wouldn't that solve the problem:

 

[REMOVED]

Edited March 8, 2012 by WHMCS Andrew
Removing code

[madsere]

No it wont. Just had someone from Algiers open a new ticket with this by using a combination of upper and lower case characters for "eval": {php}evaL(base64_decode(

 

Anyway, easily solved by replacing strpos with stripos which does case insensitive comparisons.

 

[REMOVED]

Edited March 8, 2012 by WHMCS Andrew
Removing code

[WHMCS Andrew]

I wish they could get better captcha to help thwart the robots.

 

Unfortunately even with Google reCaptcha enabled these tickets are being submitted as it is someone actually submitting the ticket, and not a robot.

 

From our side, we would not advise you use that code as it does stop some other page submissions from working. The code isn't being executed and is not causing any harm to your WHMCS. You can just delete the tickets.

[madsere]

Would you mind explaining me how my code could ever stop bona fide content? I can not imagine anytime I would allow someone to push '{php}eval(base64_decode' through my whmcs installation?

[tkalfaoglu]

Why is the code REMOVED ? I want to stop the daily php-eval mess I keep getting

I have captchas enabled.

[durangod]

Unfortunately i dont believe that any captcha alone is going to solve the problem. Many professionals i have spoke with believe that captcha was outdated the day after it was released and many captcha's have been defeated, some quite easily.

 

This link was given to me by a wordpress guru on the WP support thread. It shows captcha's that have been defeated. http://caca.zoy.org/wiki/PWNtcha

 

So if it is a bot doing this which i believe it is some kind of sniffer myself just looking for holes, i think the best solution is to come up with an anti bot question in addition to the captcha.

 

Nothing is fool proof from my experience but i know that as soon as i added an anti bot question to some of my other sites, alot of the BS stopped, at least it put a dent in it.

 

It would be nice to not even get this base64 message, i get it to. But i have been assured it has been taked care of in my version which i installed in feb ver 5.03 and receiveng the message is just an annoyance, i am been assured it is not harming me.

 

I hope for a better solution myself to avoid even seeing it.

Edited May 3, 2012 by durangod

[Sliffer21]

Just create a hook to make the tick die

[redham]

I have had ENOUGH damage done to my business from this hacking exploit already!

I don't like seeing the "php_eval" mails just because it reminds me of all my lost business. It doesn't seem too much to ask the WHMCS development team to come up with a block to keep these mails OUT OF my ticket system!

 

How about it? Please come out with instructions on how we can do this ourselves if nothing else.