Jump to content

Spam Filter... how it work?

nka

By nka
in Using WHMCS

 Share

Recommended Posts

nka Senior Member

nka

Posted
Posted

I got email looking like this :

 

{php}eval(base64_decode <<snipped full code>>

 

So I tried to add "base64_decode" into the spam filter. Not blocking. Then, I tried "*base64_decode*" (without the " "). Not working also.

 

How can I make this work?

0
Link to comment
Share on other sites
bear Senior Member

bear

Posted
Posted

Adding just "{php}" without the "quotes" should do it, but only if it's tickets started via email. Tickets submitted via form are not affected by the spam filters. Hopefully your WHMCS is patched or updated to the latest version, or you may have larger issues.

0
Link to comment
Share on other sites
Niclas Junior Member

Niclas

Posted
Posted

Iv'e just got someone that did the exact same thing to my Support Ticket.

When i did a decode on it i saw that they created a red.php (upload files) in my template folder. But i havent yet found if they did upload anything or just tried to send the support ticket.

 

I would also like to know how to stop {php} tags in the Support ticket area, cause spamfilter doesnt take it?

 

EDIT: Didnt have the latest version, so i hope this might be "blocket" =) (upgrade now)

0
Link to comment
Share on other sites
bear Senior Member

bear

Posted
Posted
Iv'e just got someone that did the exact same thing to my Support Ticket.

When i did a decode on it i saw that they created a red.php (upload files) in my template folder. But i havent yet found if they did upload anything or just tried to send the support ticket.

If they created that file, the odds are greater they've had elevated access to your clients, installation and servers. Without delay I'd force password changes to all servers and hosted clients, as well as for WHMCS. I'd also reinstall WHMCS and make quite sure that there were no surprise admin accounts in it and so on.

They had access. No telling if they were already using it, but it's time to take immediate action, I'd suggest. My opinion, anyhow.

0
Link to comment
Share on other sites
Niclas Junior Member

Niclas

Posted
Posted
Quote:

Originally Posted by Niclas View Post

Iv'e just got someone that did the exact same thing to my Support Ticket.

When i did a decode on it i saw that they created a red.php (upload files) in my template folder. But i havent yet found if they did upload anything or just tried to send the support ticket.

If they created that file, the odds are greater they've had elevated access to your clients, installation and servers. Without delay I'd force password changes to all servers and hosted clients, as well as for WHMCS. I'd also reinstall WHMCS and make quite sure that there were no surprise admin accounts in it and so on.

They had access. No telling if they were already using it, but it's time to take immediate action, I'd suggest. My opinion, anyhow.

 

I were hoping WHMCS could have a "Dont accept {php} tags"- in Support tickets ;)

Well, you are right. I must take immediate actions and fix this.

 

As above, the email is created by WHMCS not received by WHMCS

You therefore add it to your ISP spam filter

 

How will this prevent them to send/open a ticket withing WHMCS? It aint the mail that i recieve that's scary. It's that when they open a ticket. It automaticly reads the code and the file were created.

 

This happened 08:23 this morning. I woke up at 09:45 and saw that someone openede a new ticket and thought it looked "strange". My first thought were "Do not open it inside WHMCS, cause it will execute". I took the mail and decoded it (never openede inside WHMCS). And when i saw that the script will create a file inside template_c i went onto my FTP and checked.

 

What I directly saw were that it were created at the same time as the ticket were opened (sent in by the user).

 

Correct me if im wrong. But when i open a new support ticket in WHMCS, it will never send a Mail first and the create it. Even if i block the email that i got in my phone/mail. This will execute eveytime someone tries this. Aint im right?

 

If im right, how can we stop it? =)

As i wrote before, I just downloaded and upgraded to 5.0.3 (This kind of "script" might be blocked in this version?).

0
Link to comment
Share on other sites
nka Senior Member

nka

Posted
  • Author
Posted
<<snipped full code>>

 

I didn't post the full code ! ;)

 

Does %base64_decode% work?

 

I'll try!

 

Adding just "{php}" without the "quotes" should do it, but only if it's tickets started via email. Tickets submitted via form are not affected by the spam filters. Hopefully your WHMCS is patched or updated to the latest version, or you may have larger issues.

 

It's patched. I'm always uo-to-date, even more when I got a security patch.

 

edit: Ahhh... dosent show on the Ticket Import Log. So might be created directly from the web form. I'll see capcha and stuff then.

0
Link to comment
Share on other sites
Niclas Junior Member

Niclas

Posted
Posted
If they created that file, the odds are greater they've had elevated access to your clients, installation and servers. Without delay I'd force password changes to all servers and hosted clients, as well as for WHMCS. I'd also reinstall WHMCS and make quite sure that there were no surprise admin accounts in it and so on.

They had access. No telling if they were already using it, but it's time to take immediate action, I'd suggest. My opinion, anyhow.

 

True, have done that now.

 

Adding just "{php}" without the "quotes" should do it, but only if it's tickets started via email. Tickets submitted via form are not affected by the spam filters. Hopefully your WHMCS is patched or updated to the latest version, or you may have larger issues.

 

Does this means that the latest 5.0.3 is secured from this "Form attack". Cause its quite a big deal, cause it executes the code directly it enters WHMCS ticket. I mean, i dont even have to open the ticket in WHMCS. For me the file were created instant.

0
Link to comment
Share on other sites
bear Senior Member

bear

Posted
Posted

The patch was released around Dec 1, and every release since then has been fixed to disallow this, from what I understand. The exploit doesn't need you to open it, it runs immediately because of a flaw in a third party product being used (along with "eval" in PHP being enabled on the server): Smarty templating.

0
Link to comment
Share on other sites
Niclas Junior Member

Niclas

Posted
Posted
The patch was released around Dec 1, and every release since then has been fixed to disallow this, from what I understand. The exploit doesn't need you to open it, it runs immediately because of a flaw in a third party product being used (along with "eval" in PHP being enabled on the server): Smarty templating.

 

A great, Then i dont have to worry about this =)

Hate that "they" are so smart :P

 

Edit: Sorry for the double post!

0
Link to comment
Share on other sites
bear Senior Member

bear

Posted
Posted

No, heh...they tried to use it. That Kayako version doesn't even use Smarty. Don't know about the new one. I imagine you'll be seeing way more hits to obscure applications as more WHMCS installs are patched/upgraded. As is typical of these "simple" exploits, they get released, then tried everywhere by wannabe "hackers".

 

A shotgun approach. You might get the odd one out, but it's a longshot, usually.

0
Link to comment
Share on other sites
sol2010 Senior Member

sol2010

Posted
Posted
This happened 08:23 this morning. I woke up at 09:45....

Nice time to wake up ;-)

 

I also got the {php}eval(base64 code in a support ticket this morning.

 

Thankfully I am fully up to date, but it is only a matter of time before one of these exploits gets through.

 

Thanks to the WHMCS team, hopefully they will be able to stay one step ahead of these scumbags.

0
Link to comment
Share on other sites
bear Senior Member

bear

Posted
Posted
Thankfully I am fully up to date, but it is only a matter of time before one of these exploits gets through.

The only way something like this would work now on a patched or upgraded system is if something brand new were discovered. This particular hole was closed.

0
Link to comment
Share on other sites
  • 4 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated

  I accept