twhiting9275 Posted May 22, 2012 Share Posted May 22, 2012 This is correct many scanners are not capable of figuring it out on other ports but they do alert you that other port is open, they just dont detect it as ssh so they cannot perform the password check. hmmm, I have a couple of customers , default port, no issues with passwords at all. PCI scans (securitymetrix, mcafee) have been running for years with no issues. I've yet to be flagged on that one, or have a client flagged. Not that I run ssh on a default port any more, or allow passwordless logins for my own servers ... Link to comment Share on other sites More sharing options...
merlinpa1969 Posted May 22, 2012 Share Posted May 22, 2012 I dont think this is true... hostgator has been around much longer than softlayer... I have been with them sSL since they opened. they might have some servers there... but my point was that a softlayer server is self managed and WHMCS would then hire a 3rd party security firm to manage the server and this would have never happend because again the attacker wouldnt know the name of the 3rd party to call on the phone to request SSH key access Remember SL bought the Planet which is where all the orig host gator servers were at. so Yes their boxes are all at SL data centers in Houston Dallas and DC Link to comment Share on other sites More sharing options...
Twam Posted May 22, 2012 Share Posted May 22, 2012 I just received an email from WHMCS, thought i would post it here as well because as posted earlier in this topic it seems the emails are being queued and sent. So anyone who has not received it yet can see. Unfortunately today we were the victim of a malicious social engineering attack which has resulted in our server being accessed, and our database being compromised. To clarify, this was no hack of the WHMCS software itself, nor a hack of our server. It was through social engineering that the login details were obtained. As a result of this, we recommend that everybody change any passwords that they have ever used for our client area, or provided via support ticket to us, immediately. Regrettably as this was our billing system database, if you pay us by credit card (excluding PayPal) then your card details may also be at risk. This is just a very brief email to alert you of the situation, as we are currently working very hard to ensure everything is back online & functioning correctly, and I will be writing to you again shortly. We would like to offer our sincere apologies for any inconvenience caused. We appreciate your support, now more than ever in this challenging time. ---- WHMCS Limited http://www.whmcs.com Link to comment Share on other sites More sharing options...
Si Posted May 22, 2012 Share Posted May 22, 2012 (edited) Yep, I know that my site is fine but I am thinking about our customers if this hits the big news sites such as BBC they are going to see WHMCS hacked and most likely put together the wrong conclusion that our hosting billing has been hacked when it has not. I think it will make sense that I draft something and send it out to my customers, I guess its better to let them know clearly that we are not affected, just whmcs.com If you didn't pay for the removal of the WHMCS tag in your installation, then yes, you would probably need to be pro-active in this. If you did, the likelihood is that most customers wouldn't have a clue who or what WHMCS is = no panic. I also cant see this hitting the BBC Edited May 22, 2012 by Si Link to comment Share on other sites More sharing options...
Blueberry3.14 Posted May 22, 2012 Share Posted May 22, 2012 Wrong Ahhhh, I stand corrected, I remember that now. Link to comment Share on other sites More sharing options...
ExsysHost Posted May 22, 2012 Share Posted May 22, 2012 Remember SL bought the Planet which is where all the orig host gator servers were at. so Yes their boxes are all at SL data centers in Houston Dallas and DC They are actually in the Planet still... been years since I have been up to date with the Planet infrastructure... do they have the same network based IDS and IPS systems? but again by them being at a bargain host... their information was just handed over... this would not have happened with Softlayer + 3rd party security management firm Link to comment Share on other sites More sharing options...
striddy Posted May 22, 2012 Share Posted May 22, 2012 I dont think this is true... hostgator has been around much longer than softlayer... I have been with them sSL since they opened. they might have some servers there... This is incorrect. See here. http://support.hostgator.com/articles/pre-sales-policies/how-many-servers-does-hostgator-have-and-where-are-they-located and here http://support.hostgator.com/articles/hosting-guide/hardware-software/softlayer-datacenter Link to comment Share on other sites More sharing options...
twhiting9275 Posted May 22, 2012 Share Posted May 22, 2012 but again by them being at a bargain host... their information was just handed over... this would not have happened with Softlayer + 3rd party security management firm I'm not 100% sure it couldn't happen ANYWHERE. If they get your secret question info, people can do about anything unless you use a really specialized host (DC) that issues you an account manager who you have to call to get this addressed. Link to comment Share on other sites More sharing options...
ExsysHost Posted May 22, 2012 Share Posted May 22, 2012 Having been through a number of PCI audits (quarterly, etc) with both myself and various clients, this is not correct. Even some of the most 'harsh' scanning companies don't care about password authentication, for carts (I do actually do things for one or two of them), or for individual clients. The levels for the two are definitely different. Keep in mind that different companies have different requirements and regulations with regards to PCI scanning and passing it. This is the major reason right now that it's a joke, there are no set and defined standards... That said, a system like WHMCS should be absolutely using military grade security. Yeah, I said it, military grade. You're big enough, time to start cracking there. This is not true see below In 2004, the CISP requirements were incorporated into an industry standard known as Payment Card Industry (PCI) Data Security Standard (DSS) resulting from a cooperative effort between Visa and MasterCard to create common industry security requirements. Effective September 7, 2006, the PCI Security Standards Council (SSC) owns, maintains and distributes the PCI DSS and all its supporting documents. Visa, however, continues to manage all data security compliance enforcement and validation initiatives. if a scanning company doesnt support all the standards as outlined by https://www.pcisecuritystandards.org/ then they should not be used or even be allowed to be in business for that matter. Its been a while since I dug through the requirements... just did a peak and it is not a requirement but a highly recommended step... this type of attack couldnt of happend with a password reset or social engineering if they had used passwordless access. But what is a requirement is SUDO to root, so if or not they used that I do not know. But you have to remember that these automated scanning systems are just a part of PCI compliance... there is much more to the guildines that cannot be done by a scanner and which is why you are supposed to answer the questionair. If you rely just on the scanner chances are you are not PCI compliant either. Link to comment Share on other sites More sharing options...
ExsysHost Posted May 22, 2012 Share Posted May 22, 2012 I'm not 100% sure it couldn't happen ANYWHERE. If they get your secret question info, people can do about anything unless you use a really specialized host (DC) that issues you an account manager who you have to call to get this addressed. Not quite sure why you guys keep missing this... If WHMCS used softlayer which is a self managed dedicated server company and then hired a 3rd party server management company that specializes in security.... there would be no way for said attacker to know who that third party company is to request the passwords... and to add because they specialize in security they would be using SSH keys and have password authentication disabled. Link to comment Share on other sites More sharing options...
ExsysHost Posted May 22, 2012 Share Posted May 22, 2012 I think some of you missed my original post, which most of these smaller comments branched off of... SO here it is again, and it might add more clarity to what I meant by my later posts: I have to partly agree the sol2010 here... yes getting hacked is without a doubt going to happen when you are targeted... I have worked in the information systems security industry for years and what I have learned over the time is, while you can secure your systems to a point before they become un-usable the most important part of security is limiting what the attacker can do once he has gained access. Social engineering attack or not there are a number of things Matt and team can do going forward to better safeguard our data. 1) Don't use bargain hosts... check out SoftLayer they have network level intrusion detection and prevention systems while these dont prevent all, they do help minimize attacks that Host Gator does not. 2) WHMCS uses CDGCommerce to process their credit cards.... Hint to WHMCS start using the Quantum Vault module you guys developed... Quantum has teams of security specialists who perform regular not partial but full PCI compliance audits. This way our credit card info remains safe even if you are compromised. 3) Use SSH keys, quit requesting that we send you passwords for SSH/FTP... you can post your public key in the client area and we can place it on our server when you need access.... This is in practice at a number of development groups one that comes to mind immediately is CloudLinux Support team. Also never put your private key on public servers, just keep it on your private desktop support PC's 4) Do something similar for the control panel... some sort of certificate authentication or something which results in a handshake and only your support specialists have access to the key. I say some sort of here because there is a number of ways, some more restrictive than others so it would be up to you to decide which one is secure enough and easy enough to implement on your customers whmcs installs 5) I know this was social engineering attack but lets face it if you didnt give your server passwords to Host Gator they couldnt of logged in or reset them unless you are on HG shared hosting? Again drop HG for SoftLayer then hire a server management firm which specializes in security, with a 3rd party management team a social engineering attack would never work as the attacker has no way of knowing who the provider is. 6) Dont use passwords at all... your servers should have passwords disabled, SSH keys should be used.... this is part of PCI compliance... so what you have told us, is that our credit card information was being stored on a server which does not pass PCI compliance. Visa and MasterCard frown on this (see point #2) Link to comment Share on other sites More sharing options...
awardle Posted May 22, 2012 Share Posted May 22, 2012 If you didn't pay for the removal of the WHMCS tag in your installation, then yes, you would probably need to be pro-active in this. If you did, the likelihood is that most customers wouldn't have a clue who or what WHMCS is = no panic. I also cant see this hitting the BBC Hi Si, Thanks for the reply your right and I totally forgot about this our billing area does not say WHMCS anywhere on it and we also have the removal of the WHMCS tag. Thanks Link to comment Share on other sites More sharing options...
Blueberry3.14 Posted May 22, 2012 Share Posted May 22, 2012 You are mis reading what I wrote.. I did not state that the attack had to do with non PCI compliance but WHMCS themselves has admitted to using passwords not public key authentication... I was just adding on to my statement that it will be interesting to see what WHMCS has to say about our cards being hosted on a non PCI compliant server which is against VISA and Mastercard policies... it didnt really have anything to do with how the attack occurred Here is VISA policies regarding this attack and WHMCS will have to answer up to us and to them of why our cards were stored on a non PCI compliant system. http://usa.visa.com/merchants/risk_management/cisp_if_compromised.html I see you drawing a whole lot of conclusions with no apparent basis for them. Why do you keep insisting that the server WHMCS was on is "non PCI Compliant"? What are you basing that on? And you keep linking that URL from Visa. What makes you think those rules HAVEN'T been followed? And further...if you've followed the news for the last few years, you'd have seen some massive data breaches, from huge companies, who DID NOT follow those rules...and are still in business. So please...tone down the Chicken Little speech long enough to find out the whole story. Also here is your proof you requested http://forum.whmcs.com/showthread.php?t=47660 they could not have requested the private key if it was used as that is not part of any forgot password system The hacker got access to the client account on HostGator (how WHMCS pays for their hosting), changed the email account there (to the hacker's email), then requested access details be emailed. Matt doesn't say specifically, but it sounds like they were cPanel access details. Something doesn't fit here...I'll admit. Someone getting access to the HostGator client area shouldn't have allowed them access to the WHMCS client database, and/or WHMCS' cPanel. To add like one of my earlier posts stated if they had been using a 3rd party server management company that specializes in security... a social engineering attack would not have worked because they would have no way of knowing which 3rd party company did the management so they could not call them on the phone or write them an email. I have a few horror stories from 3rd party management companies. One sub-contracted the job out to someone in Saudi Arabia. When you're watching who logs into one of your servers and suddenly see a Saudi IP, after hiring a company from the midwest.... and this is a well known, well-recommended (in WHT and cPanel forums) company. In the words of Fox Mulder...trust no one. Link to comment Share on other sites More sharing options...
Blueberry3.14 Posted May 22, 2012 Share Posted May 22, 2012 Not quite sure why you guys keep missing this... If WHMCS used softlayer which is a self managed dedicated server company and then hired a 3rd party server management company that specializes in security.... there would be no way for said attacker to know who that third party company is to request the passwords... and to add because they specialize in security they would be using SSH keys and have password authentication disabled. SoftLayer #5 in list of phishiest hosts: http://toolbar.netcraft.com/stats/hosters There are better and more secure hosts than SoftLayer. Link to comment Share on other sites More sharing options...
ExsysHost Posted May 22, 2012 Share Posted May 22, 2012 I see you drawing a whole lot of conclusions with no apparent basis for them. Why do you keep insisting that the server WHMCS was on is "non PCI Compliant"? What are you basing that on? And you keep linking that URL from Visa. What makes you think those rules HAVEN'T been followed? And further...if you've followed the news for the last few years, you'd have seen some massive data breaches, from huge companies, who DID NOT follow those rules...and are still in business. So please...tone down the Chicken Little speech long enough to find out the whole story. The hacker got access to the client account on HostGator (how WHMCS pays for their hosting), changed the email account there (to the hacker's email), then requested access details be emailed. Matt doesn't say specifically, but it sounds like they were cPanel access details. Something doesn't fit here...I'll admit. Someone getting access to the HostGator client area shouldn't have allowed them access to the WHMCS client database, and/or WHMCS' cPanel. I have a few horror stories from 3rd party management companies. One sub-contracted the job out to someone in Saudi Arabia. When you're watching who logs into one of your servers and suddenly see a Saudi IP, after hiring a company from the midwest.... and this is a well known, well-recommended (in WHT and cPanel forums) company. In the words of Fox Mulder...trust no one. Hi please read my post at http://forum.whmcs.com/showpost.php?p=223673&postcount=184 that answers your questions in this post In regards to the 3rd party... yes you are right any regular server management firm, but I am more so referring to security management companies who specialize in PCI compliance since this is in fact all of our credit cards we are talking about. and then please read this post again because I think we are getting way off track here, the point of this post is that there are things that can be done to prevent this from occurring again, so instead of picking it apart lets discuss the things we would like to see done to prevent this from happening again. My intentions of the post are strictly out of concern that not enough has been done to ensure the safety of our card data and server information in support tickets when there is definitely a lot more that could be done: http://forum.whmcs.com/showpost.php?p=223675&postcount=186 Link to comment Share on other sites More sharing options...
ExsysHost Posted May 22, 2012 Share Posted May 22, 2012 I see you drawing a whole lot of conclusions with no apparent basis for them. Why do you keep insisting that the server WHMCS was on is "non PCI Compliant"? What are you basing that on? And you keep linking that URL from Visa. What makes you think those rules HAVEN'T been followed? And further...if you've followed the news for the last few years, you'd have seen some massive data breaches, from huge companies, who DID NOT follow those rules...and are still in business. So please...tone down the Chicken Little speech long enough to find out the whole story. Please dont insult me, I have not done that to you, name calling is not appreciated, I am trying to have a productive conversation here so we can see things improve for the future. My basis for them as outlined in the last post was the use of passwords, which was because a user was able to just request the passwords from Host Gator of a system which is supposed to be PCI compliant... But like I stated in that post, I was wrong keys are recommended but not required but sudo is, and I have no idea if they used sudo or not. But that still doesnt change the facts in the 100's of rules that stipulate PCI compliance password security itself is very stringent, it should not be able to be just "requested" on a machine that hosts credit card information. there shouldnt be a lost password form either... not saying thats how they requested it, they could have done it through support ticket... just saying it shouldnt be allowed either. When I stated they should use passworldess public / private key pairs I am talking about going forward because well that is just better security and I would feel safer if they were doing so. I would also like to see them use the Quantum Vault which undergoes full PCI compliance audits on a regular basis not just a half baked automated scan. Full PCI compliance is much more involved then a simple scan... and the Quantum Vault provides that... if they had been using quantum vault the attackers would not have got our credit cards. again this is just a list of things going forward that will make it better for us all so lets quit getting hung up on the little stuff and focus on what will make things better going forward. Link to comment Share on other sites More sharing options...
ExsysHost Posted May 22, 2012 Share Posted May 22, 2012 SoftLayer #5 in list of phishiest hosts: http://toolbar.netcraft.com/stats/hosters There are better and more secure hosts than SoftLayer. Hmm just because a customer signs up for service and starts a phising site does not reflect the data centers security measures... Their automated intrusion detection and prevention systems are some of the best in the industry... they have effectively blocked 100,000s of attacks on our servers... Link to comment Share on other sites More sharing options...
merlinpa1969 Posted May 22, 2012 Share Posted May 22, 2012 http://news.softpedia.com/news/UGNazi-Leaks-1-7-GB-of-Data-from-WHMCS-Servers-270914.shtml?utm_source=twitter&utm_medium=twitter&utm_campaign=twitter_web Link to comment Share on other sites More sharing options...
Sshadow Posted May 22, 2012 Share Posted May 22, 2012 People please stop being idiots. First off this wasn't a "hack" this was a smart person who researched and fooled a support tech into allowing them access to the server. This takes a lot and trust me as I have had dealings with HG support in the past. I am guessing all this crap talk about them may be in relation to their shared hosting. I can't speak to that however their Dedi hosting is top notch. On a Dedi the security itself is up to you and I think WHMCS covered their butt's nicely. This comes down to "Human Error". A single support person who missed it all. If your not familiar "Human Error" happens a lot and it doesn't depend on the company you deal with unfortunately. All it takes is for one person to have a bad day. Link to comment Share on other sites More sharing options...
merlinpa1969 Posted May 22, 2012 Share Posted May 22, 2012 for those that think these guys are a joke please take a look here http://news.softpedia.com/newsTag/UGNazi Link to comment Share on other sites More sharing options...
everythingweb Posted May 22, 2012 Share Posted May 22, 2012 Can't believe the downloads of the DB are still live. Link to comment Share on other sites More sharing options...
ExsysHost Posted May 22, 2012 Share Posted May 22, 2012 (edited) And you keep linking that URL from Visa. What makes you think those rules HAVEN'T been followed? I do know WHMCS is following the steps outlined on that document... I didnt hear about the hack from WHMCS, I heard about it from my merchant provider which is the same merchant provider as WHMCS uses, so I assume they did report them as dicated by that url. I posted the link for informational purposes, for some of the less educated people around here. and to point out that VISA and Mastercard will be interested in conducting an audit like stated in that article, to see if they are in fact PCI compliant... And because it matters to me and many others here if someone who is holding my card information is PCI compliant. We have a right to be concerned here, I never stated that they would be put out of business or fined... in fact I hope they are not because WHMCS is at the heart of our business... But I do have concerns about how our information will be handled in the future. Edited May 22, 2012 by ExsysHost Link to comment Share on other sites More sharing options...
mpkossen Posted May 22, 2012 Share Posted May 22, 2012 It won't be long before these files are available as a torrent or via newsgroups. It's hard to stop from there. Please note: I don't condone the release of these files or the spreading of them, I'm just saying what may very well happen. Link to comment Share on other sites More sharing options...
disgruntled Posted May 22, 2012 Share Posted May 22, 2012 Well what can say, Social engineering or not, its still a hack on your system so get ur ass into gear and tighen that ring hole you just **** all our details out with. This a major - for whmcs, even though THEIR server was hacked they still wont admit the issue. shocking and to be quite frank with you im on the verge of closing out my license. Link to comment Share on other sites More sharing options...
ExsysHost Posted May 22, 2012 Share Posted May 22, 2012 (edited) People please stop being idiots. First off this wasn't a "hack" this was a smart person who researched and fooled a support tech into allowing them access to the server. This takes a lot and trust me as I have had dealings with HG support in the past. I am guessing all this crap talk about them may be in relation to their shared hosting. I can't speak to that however their Dedi hosting is top notch. On a Dedi the security itself is up to you and I think WHMCS covered their butt's nicely. This comes down to "Human Error". A single support person who missed it all. If your not familiar "Human Error" happens a lot and it doesn't depend on the company you deal with unfortunately. All it takes is for one person to have a bad day. True but there are ways to avoid it in the future which is my point, we should have a productive conversation of things that can be done to avoid it in the future... in case you didnt read my original post: http://forum.whmcs.com/showpost.php?p=223675&postcount=186 P.S. And you are right... my choice of words might not have been the best so please dont get hung up on them... I wasn't stating anything about the quality of hosting infrastructure... and I wasnt "crap talking" what I was stating was that they are a bargain host, and that typically it is not a good idea to host credit card information with a bargain host... something like this would not have happened if they didnt have the passwords to the WHMCS servers in order to send them out... which does violate PCI complaince, they should not be able to send out passwords to such a system. Pretending to be or being the real owner... In a non bargain host like SoftLayer they could simply KVM over IP and boot into single user mode if they lost access to their system... they dont need it to be stored in the portal so it can be "requested" in this type of setup it is PCI compliant. Edited May 22, 2012 by ExsysHost Link to comment Share on other sites More sharing options...
Recommended Posts