WHMCS.com Hacked?

[Hitakashi]

Hi,

 

I am trying to join the conversation as I have a question to ask about the basics of the licensing server and validation on how it connects, I don't want my WHMCS install to go down I keep getting errors when I attempt to post, is anyone else experiencing any forum errors when replying?

 

Thanks!

 

If I recall correctly, the software makes a call to whmcs every day and everytime you check for a update (I think), If it fails a call, It stays up for x days and then shutdowns, But the client interface is still up. So you can't do anything in the admin interface. This is different then not paying for a license since the server tells the install "invalid license"

[smorkin]

If I recall correctly, the software makes a call to whmcs every day and everytime you check for a update (I think), If it fails a call, It stays up for x days and then shutdowns, But the client interface is still up. So you can't do anything in the admin interface. This is different then not paying for a license since the server tells the install "invalid license"

 

Hi Hitakashi,

 

Thank you for your reply. I was working with my templates and admin backend info for a new theme that was 90% finished and I just really don't wish to run into no SNAFU's.

 

Just a bit nervous about my business as I have put so much work into it as many & many of us have and always do. I also didn't want to add a support ticket at this time as I am sure Matt & team are slammed no stop.

 

Thank you again!

[desynced]

Reading this thread has popped up a question I have to ask? How long have you all been in business? The ranting of WHMCS isnt going to go on anywhere. This stuff happens, welcome to the internet. First day here?

 

I can remember around 2000 that really nothing was safe. Exploit here, exploit there, etc. The only safe way is to store everything in something like Quickbooks on a computer that doesnt even connect to the internet. But then you wouldnt have 90% of the features that WHMCS does for you would you?

 

ClientExec. v2.x This was our first major "web based" system. We have a few RackShack servers and a couple scattered around. Then our data in this kept screwing up. For days we couldnt figure out why things were disappearing and changing. Then finally it was known..

http://secunia.com/advisories/17756/

With that, plus other bugs, we decided to move on.

ModernBill v4.x It was great but some serious exploits were coming out. Cross scripting, remote exploits, etc were a big fad. Our ModernBill system got hacked while waiting for those guys to come out with a patch. Not only did they get our data, but they took full control of that server. I would say we had a couple dozen dedicated servers with RackShack (before ThePlanet) and maybe another dozen scattered around at other datacenters back then. So we have quite a few customers we have to contact with the "Sorry, but our software has been hacked and now the internet has your credit card info" emails. We lost about 40% of our customers from that. Then ModernBill 5 came out. Some of you might know how much that version was.

http://secunia.com/advisories/32529/

 

Shortly after this, then we were having customer sites getting hacked with an exploit through the control panel we were using... Ensim. Lost more customers.

 

So we migrated to LXAdmin's control panel. Major exploit comes out. The main dev of it commits suicide. Yeah, no fixes and everyone is confused if LXAdmin is even going to get updated, by who, etc.

Guess what? You guessed it. More customers calling and emailing and leaving.

 

Yeah, its time to move on. Now we're a DirectAdmin and CPanel shop. Both been great since then. After posting on several forums about what is good, there's WHMCS that people are recommending over and over. I check their site, they support everything I need (payment, control panels, etc) and they've been great. I havent had any problems in 3+ years with their product (well maybe some minor upgrade hickups) and right now their web site got hacked, but not by an exploit or bug in their software. By this and the ignorance of HostGator (still not confirmed?), they were able to access WHMCS's main database, site, cpanel, etc.

 

Then they put it on the internet. I found out when I get a call from an admin asking if I've logged into WHMCS yet that morning. I told him no, and he said when I do, check out the news feed inside. Yes, the feed from Twitter. Right away I assumed my WHMCS setup was hacked. After 2 - 3 minutes of extremely high blood pressure, I finally realize that it's not me, but WHMCS's site. So, I read the twitter feeds which several feeds besides the hacker is releasing news about WHMCS being hacked just scrolling by. You have thousands of people on the internet that is now the reporters of the world. Blogs, news sites, forums, etc all posting about WHMCS being hacked and linking screen shots of the defaced site, links to the files, etc.

 

So yeah, I did download the files. I am so sorry that I wanted to see what they got and is it any way going to concern me and my business. For anyone ranting "Shame on you people downloading...", why are you not concerned if your info is inside? At the time I couldnt log into WHMCS to see EVERY ticket I've made over the years to see what info I supplied them. Do they have my admin password? I know I make temp accounts and when the job is done, delete the accounts, but did I ever have to give them a MySQL username and password? Root's password? I'm 99.9% sure I didnt, but.. damn right I am going to download these and see what data is now freely available to thousands or millions of people that would do something dishonest with either my credit card or any ticket information.

 

Now it's when I have to see the bottom line. Yes, I may have to call and get a new card. I have others. I can wait a couple weeks for a replacement. I would hope you would too. But I would also hope you are smart to change passwords often. I would hope you are smart enough to make temp accounts for WHMCS to use and deleted them when they finished whatever they needed to do. If you did, any ticket info is invalid since passwords have changed, accounts are gone, etc. Yeah, I now have a text file/database full of credit card numbers, names, addresses, phone numbers, etc. Am I stupid enough to risk the rest of my life and use any of this information illegally? No. Just like I would hope all of us wouldnt and just wanted to see if any information would effect them. We're the ones effected, we're not the ones that have never even used WHMCS, never heard of it, dont care what WHMCS is, just get the credit card numbers and roll! So shame on me? Whatever. I did what was best for me and my family and my business and that was to see if all 3 of those are safe. Actually now I'm not even sure why I downloaded the other 2 files (whmcs site files and whmcs cpanel files) since I could really give a s**t about those 2. I have WHMCS and CPanel, except the DB link wasnt working for a while so I thought maybe the DB was included in one of the other two.

 

Is this going to effect me? Wow, I spent a couple minutes changing my WHMCS.com password and changing passwords for anything that had to do with my WHMCS setup. Did I need to change my WHMCS passwords? No, but it just made me feel a little better inside with everything going on.

 

Is this going to effect my business? I doubt it. My customers data is still safe. I dont have to send another "Oh no. I been hacked again. Your credit card isnt just yours any more." emails to my customers. Im not going to lose a bunch and have financial problems for the next several months because of this. I can still use WHMCS.

 

You pissed off? You want to leave WHMCS? Fine. Go ahead, really. Now I'm wondering how many of you are even stable enough to run a business. Do you only have 1 credit card or debit card running your whole business? What if you lost your wallet? This crap is only effecting you. Not your customers. Not your business.

[CavalloComm]

Well said. And again.. I am not on a high horse... But still shame on the people here that actually followed that link and downloaded the UNAUTHORIZED database. I didn't even use a CC with them. No worries. It is YOUR CHOICE TO USE ONE! Again, you all know how the software works no? Or are the people complaining here non users of WHMCS? So.. It could all happen to you too.. Do you all have a better solution?

 

 

 

Enough said.

[hamishpalmer]

Guessing everyone/someone received the "WHMCS Updates for XXX" email from AJ Online Services??

 

Wanted to share my thoughts on this - I personally am rather annoyed that this person/company has apparently gone ahead and downloaded the leaked information, then used it to email WHMCS clients.

 

I realise it is designed to offer advice, but I am really not impressed on how they went about it. Nowhere does it mentioned it was authorised by WHMCS, AJ Online Services admitted the details were taken from the stolen database:

 

we have mearly sent this email to all WHMCS clients recorded in the WHMCS database leaked by the UGNazi group

 

Obviously thousands of people are in possession of the stolen data, and obviously those with information compromised (like myself) would have already done something about it if they had half a brain. I also like the line:

 

This email is not a plug so we wont give our details directly in this email

 

When clearly they have provided: Link to their website, Email address, Facebook + Twitter accounts.

 

I received an email from WHMCS regarding the issue, and done something about the breach 12 minutes after the WHMCS twitter account posted the first hack message. What I do not need/want is "helpful" companies taking my data and plugging their own business, even if intentions are good - regardless of what was said in the email, their contact information is still visible.

 

If AJ Online Services were ever hacked, I will be the first person to download all of the stolen information, and send out helpful emails offering advice to their clients... with a link to my website and email address in the footer, which should not matter because it is just a helpful email and nothing more, right? Come on man, Foxconn wouldn't make an announcement on Apple's behalf, and if they did it would be authorised by Apple. Let WHMCS do their thing, you worry about your business and I will worry about mine.

[cwispy]

I would like to hear from staff in regards to the article at [link removed]

[Speedy059]

I would like to hear from staff in regards to the article at [link removed]

 

I really hope that isn't true.

[Matt]

See this thread for our response: http://forum.whmcs.com/showthread.php?47797

 

Matt

[vincent_g]

I was not effected by this major problem that took place this past week.

 

But having read the news I have to say Hostgator did make a major mistake.

They should not have given out any info without first checking with Matt

 

This is a major mistake - My server company ( Calpop ) would not make such a mistake.

 

The major fault here belongs to Hostgator

 

http://www.scmagazine.com.au/News/301773,thousands-affected-in-billing-cloud-breach.aspx

 

As to how this person got the other security questions correct is not of any importance.

Yes this is an additional security problem but the purpose of security is to trip up a hacker.

If he had six parts of the security answers correct and was missing one - he was still missing one!!!

 

You don't give him the one part he doesn't have with out getting conformation from the person in charge.

 

So now that the damage is done it's time to find out where we can improve things.

 

As to those hosts that have been effected - you have just experienced a major learning experience.

Do not leave your passwords unchanged after requesting help via any help desk.

If you were using a hosted billing solution - well - sometimes saving money can cost.

 

One thing I am not too happy with with WHMCS is their new marketing idea which winds up giving large hosting companies an unfair advantage on smaller ones as I now see hosting companies giving away WHMCS with reseller accounts.

 

As this software falls into more hands for small fees the possibility of hackers will increase.

This allows them to have hands on access to try and find holes in it.

 

I believe it's a really bad idea - might be a good marketing scheme but long term it's not very good.

 

Vincent G.

CW3 Web Hosting

[Jbro]

Hostgator is a big issue. I sensed it years ago. I had a VPS with them I felt so unsecure I moved every thing to our domestic

This is a lesson for all of us

[vincent_g]

Does anyone know anything about this hack?

 

Was it a version 4 hack or version 5 hack?

 

I didn't see any patches for it.

 

[old exploit removed]

 

It displays the content of the config file.

 

There are videos on youtube about it showing how easy it is to dispay this info.

 

So you get a new client sign up for hosting and he is on the same server as your billing system.

Now he has your database and your encrypt string.

 

Was this fixed???

Edited May 30, 2012 by bear
.

[ExsysHost]

Does anyone know anything about this hack?

 

Was it a version 4 hack or version 5 hack?

 

I didn't see any patches for it.

 

[old exploit removed]

 

It displays the content of the config file.

 

There are videos on youtube about it showing how easy it is to dispay this info.

 

So you get a new client sign up for hosting and he is on the same server as your billing system.

Now he has your database and your encrypt string.

 

Was this fixed???

 

 

either you are running a very old version of WHMCS... or you have not followed the security steps... this is not possible on my system.

Edited May 30, 2012 by bear
.

[sparky]

Also mod security should give a 406 - Unacceptable error

It does on my install

Be sure to apply the patch released today.

[easyhosting]

One thing I am not too happy with with WHMCS is their new marketing idea which winds up giving large hosting companies an unfair advantage on smaller ones as I now see hosting companies giving away WHMCS with reseller accounts.

 

 

Well what makes you think WHMCS are the only ones doing this

 

Autopilot

cPanel

Directadmin

RVsitebuilder

etc.

 

All are provided free by some hosts, but thisd is going off topic.

 

by ther way WHMCS was NOT Hacked as such it was breached by social engineering where MATT was impersonated and Hostgator gave the impersonator the servers login details.

Edited May 30, 2012 by easyhosting

[vincent_g]

I said I was not effected on a prior post.

I was not effected because I run my own servers and they are secure.

I run the latest versions of the software and always apply the latest patches.

 

By the way the latest dbconnect patch is the second time this file was patched.

 

Yes Mod Security does block that hack attempt as it's how I learned about it.

Is it fixed is the question.

 

This is why you have problems - well Mod Security blocks it so who cares if the problem is still there.

 

I care! - there is no room for mistakes else you have an event such as the one we just seen.

[bear]

Be sure to apply the patch released today.

Another new one today? I'm not seeing that; can you link it?

by ther way WHMCS was NOT Hacked as such it was breached by social engineering where MATT was impersonated and Hostgator gave the impersonator the servers login details.

Unless you know for certain that's what happened in it's entirety (and not just parroting what has been posted), it's presumptuous of you to post that as fact. Though it may be true, you are not privy to the full details so probably shouldn't be speaking authoritatively about it.

Just sayin.

 

One thing I am not too happy with with WHMCS is their new marketing idea which winds up giving large hosting companies an unfair advantage on smaller ones as I now see hosting companies giving away WHMCS with reseller accounts.

WHMCS doesn't give those to the company offering it free (AFAIK), they're bought and used as a "loss leader" by the provider/host. Makes their offer more attractive. That is available to you also; you should ask Matt about details.

[SilverNodashi]

Also mod security should give a 406 - Unacceptable error

It does on my install

Be sure to apply the patch released today.

If you don't mind, which mod_security rules do you use to protect against this type of hack?

[sparky]

If you don't mind, which mod_security rules do you use to protect against this type of hack?

 

Simply the default rules that comes with cPanel after you install mod_security

[SinOjos]

The real fault lies with whmcs, for not utilizing hosting that is secure. Since whmcs is a billing system, a highly attractive target, they should be running their system from a banking compliant hosting provider, which means restricted access locked room for the servers, as well as additional security limiting online access. 97-99% of stolen company data is done from the inside. That includes direct employees and any contractor employee's, which in this case means hostgator.

 

It is clear that whmcs needs to start handling it's business with security that is required by credit card transaction regulations. Until that level of security is implemented by whmcs for it's own servers, every user of whmcs is at risk. As not only could the whmcs servers harbor a data post grabber or database dump capability to a remote location, but code could be injected into the whmcs download it self to get credit card data from every company that uses whmcs.

 

With the potential of hundreds of millions of dollars to be had, strict security needs to be a**ered to by whmcs, as human nature is generally the weakest link, whether it be a disgruntled employee or some one willing to make some money. The lowest paid and least educated employees are generally support personal, yet they are the ones with the ability to access any system at a hosting company.

 

The incentive of earning thousands or hundreds of thousands or millions of dollars is simply to great to allow average support personal access to servers that hold or process credit card transactions.

 

This is nothing new, old news and old knowledge, but apparently whmcs is not security minded, hell they cannot even verify their own customers from within their own system, the internal ticketing system is not secure, that is by their own admission.

 

Whmcs needs to go back to the grindstone and implement better security procedures for its own servers and clear up the security flaw in the ticket system. They may be able to ask for login details to verify their customers, but many users of whmcs do not sell products that allow such a method to be used to verify the customer. So how does a user of whmcs verify a client if the tickets in the ticket system cannot be trusted?

[mylove4life]

It's real easy to piont a finger when it's not you that got hit...

 

The real fault lies with whmcs, for not utilizing hosting that is secure. Since whmcs is a billing system, a highly attractive target, they should be running their system from a banking compliant hosting provider, which means restricted access locked room for the servers, as well as additional security limiting online access. 97-99% of stolen company data is done from the inside. That includes direct employees and any contractor employee's, which in this case means hostgator.

 

It is clear that whmcs needs to start handling it's business with security that is required by credit card transaction regulations. Until that level of security is implemented by whmcs for it's own servers, every user of whmcs is at risk. As not only could the whmcs servers harbor a data post grabber or database dump capability to a remote location, but code could be injected into the whmcs download it self to get credit card data from every company that uses whmcs.

 

With the potential of hundreds of millions of dollars to be had, strict security needs to be a**ered to by whmcs, as human nature is generally the weakest link, whether it be a disgruntled employee or some one willing to make some money. The lowest paid and least educated employees are generally support personal, yet they are the ones with the ability to access any system at a hosting company.

 

The incentive of earning thousands or hundreds of thousands or millions of dollars is simply to great to allow average support personal access to servers that hold or process credit card transactions.

 

This is nothing new, old news and old knowledge, but apparently whmcs is not security minded, hell they cannot even verify their own customers from within their own system, the internal ticketing system is not secure, that is by their own admission.

 

Whmcs needs to go back to the grindstone and implement better security procedures for its own servers and clear up the security flaw in the ticket system. They may be able to ask for login details to verify their customers, but many users of whmcs do not sell products that allow such a method to be used to verify the customer. So how does a user of whmcs verify a client if the tickets in the ticket system cannot be trusted?

[bear]

The real fault lies with whmcs, for not utilizing hosting that is secure.

Form what I'd read, it wasn't the hosting being insecure, it was an employee issue. They were convinced to reveal account details, which could potentially happen on *any* hosting platform.

[Slice]

Answers to security questions such as, for example, mother's maiden name, name of favourite pet or the street you grew up on can be researched by a determined hacker who is targeting someone specific. This gets easier to research with the popularity of social networks such as Facebook where people tend to reveal too many personal details online. That's why I always register answers to these questions that cannot be researched, such as my mother's maiden name is "hamburger" and my favourite pet is "carburetor" or some other nonsense.

[dedinode]

mother's maiden name is "hamburger" and my favourite pet is "carburetor" or some other nonsense.

 

I Might actually start doing something like this, Like you have said with Facebook etc it's very easy to find answers to some of these questions if you are determined enough to do so.

[UH-Matt]

seems the letters D and H together like ** have been censored on the forum...

[Roger]

@desynced - With you pal, tried ClientExec, tried ModernBill and grabbed WHMCS in 2005. Yep, downloaded the files for damage control too.

 

Not doing so is akin to facing a minefield and not having a mine detector to get through. But look, over there, CavalloComm's mine detector isn't being used. I think I'll borrow it and find my way through the mine field. The only other choice is to close my eyes, cover my ears and tip-toe.... no thanks. I'll borrow the mine detector.

 

Sorry Matt, but I think you understand.