Someone trying to hack my site

[Jorge Diaz]

Hi every one I have the 5.0.3 version of WHMCS but today I have found that someone opened a support ticket with some php script encoded I have used a decoder and found that is trying to get al my logins also I have found that in this version some patch is already applied but how this hack work because I just saw the screen where the code appear but I haven't opened the ticket how can I know if my site is safe against this I am really worried

[rke211]

take the code they used and paste it into your own support ticket system?

 

If it displays you know they seen it if it doesnt you know they didnt i dont think it will have worked as i found the same code in my own system and it didnt work so id try that

 

if your up to date you should be fine

[tripler]

Your alright like rke said, we are getting alot of attempts as well.

 

Just block the ip cpanel.

 

Here is some more info you could read http://forum.whmcs.com/showthread.php?t=44066

[rke211]

tbf blocking the ip is pointless it will most likely be a proxy

 

and if they want to get round it they will

 

to stop this completely i used a code think it was FlexiHost posted somewhere

 

<?php
$checkvars = array('subject','message');
foreach ($checkvars AS $checkvar) if (strpos($_REQUEST[$checkvar],'{php}')!==false) die('
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Authorization Required</title>
</head><body>
<h1>Authorization Required</h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn\'t understand how to supply
the credentials required.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
</body></html>
');

?> 

i just edited it to display a 404 error

 

simple saved it under includes/hooks as nothanks.php or similar

 

that way they cant use the {php} tag

[elysed]

This may help ive found this helpful so far after getting hacked twice. I went into the WHMCS and set the support tickets to only be available for existing clients, and for extra measures I signed up for sitelock.com, they check for security holes in your system and check for code injection etc.

[websavers]

The only problem I've discovered with using the above code to block {php} tags is that editing an email template also triggers it. Anyone have a fix for that side-effect?

[easyhosting]

tbf blocking the ip is pointless it will most likely be a proxy

 

and if they want to get round it they will

 

to stop this completely i used a code think it was FlexiHost posted somewhere

 

<?php
$checkvars = array('subject','message');
foreach ($checkvars AS $checkvar) if (strpos($_REQUEST[$checkvar],'{php}')!==false) die('
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Authorization Required</title>
</head><body>
<h1>Authorization Required</h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn\'t understand how to supply
the credentials required.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
</body></html>
');

?> 

i just edited it to display a 404 error

 

simple saved it under includes/hooks as nothanks.php or similar

 

that way they cant use the {php} tag

 

if you do this you will find this also block you from doing certain things from within your Admin area, such as creating or amending email templates.