WHMCS.com Hacked?

[twhiting9275]

If I have a potential threat to not only my own private information, but my company's and my clients if the exploit was WHMCS Software-related, I want to know at hour zero. .

And you will. Matt has always been good with notification (but lousy with security)

This is something they will let users know about when the investigation is complete and they can tell people what really happened.

 

For now, and they've said this since the beginning...

Assume your credit card information is vulnerable.

If you gave passwords, they need to be changed

 

Anything else right now is speculation. From what Matt's said, it's going to take some time to figure out what happened, how the person got in, etc, but early leanings are towards someone getting their host to believe they were Matt.

[Twam]

Im having problems logging into my WHMCS Client area, i keep getting the following error.

My Software is still having license issues but im not able to log in so i can't open a support ticket nor try and refresh my license. I tried connection from my Computer as well as a friends in a different country and still got the error.

 

 

Secure Connection Failed

 

An error occurred during a connection to http://www.whmcs.com.

 

SSL received a record that exceeded the maximum permissible length.

 

(Error code: ssl_error_rx_record_too_long)

 

 

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.

Please contact the website owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.

[SoHoIT]

I would like to know when I will be able to log back into my client area. - I need to know what information I may have provided to WHMCS.....

[TNTWebdesign]

Matt,

 

Thanks for the updates. I am currently in need of getting my IP changed with my license so I came to the WHMCS site and got a gray screen and a man talking. I knew you had been hacked. Was there anything embedded in that page that could have compromised my laptop, if you know? Or, did they just get your site. Wondering if they had bigger plans...may be something you want to look at.

 

Also, I am having trouble getting into the client area - same SSL error as above.

[HogWildMark]

I can't access the client portal to even login or access the support desk, Something about a bad SSL Cert

Edited May 21, 2012 by HogWildMark
unable to post image

[HogWildMark]

Im having problems logging into my WHMCS Client area, i keep getting the following error.

My Software is still having license issues but im not able to log in so i can't open a support ticket nor try and refresh my license. I tried connection from my Computer as well as a friends in a different country and still got the error.

 

I get the same message

[Sitepearl]

http://twitter.com/whmcs

 

"Fulll database being leaked soon"

[minadreapta]

hey guys! let them work to recover and identify what has been or has not been compromised. they will update when they have something new. posting here won't help them or you.

[Gazza]

well thanks for the late notification as usual, just received an email 9.30 pm in the UK

 

if you get an issue like this again please let me know straight away not some 7 hours plus later

at least it gives your customers time to take the approperate action

[disgruntled]

yet another knife in the whmcs back it seems. Well thanks i will cancel my card(S)

 

and now i know why i never allow a client to pay directly on my website.

[disgruntled]

Matt,

 

Thanks for the updates. I am currently in need of getting my IP changed with my license so I came to the WHMCS site and got a gray screen and a man talking. I knew you had been hacked. Was there anything embedded in that page that could have compromised my laptop, if you know? Or, did they just get your site. Wondering if they had bigger plans...may be something you want to look at.

 

Also, I am having trouble getting into the client area - same SSL error as above.

 

 

I would immediately run a full system scan of your laptop as an urgent precaution, if you find anything at all even remotely suspicious i suggest you proceed with first a clean up, and secondly a full system scan of any servers you have accessed since then and change all passwords on those servers.

 

While i believe whmcs is limited here in its attack, it is not too far fetched to believe there could be worse to come.

[kjetterman]

I can't get into my client area to change my password details. I get a security error. Is anyone else getting this?

[everythingweb]

What's up with the twitter message about the database being leaked?

[disgruntled]

I've just posted a status update with what we know so far here: http://forum.whmcs.com/showthread.php?p=223467#post223467

 

As soon as we know more, I'll provide further updates.

 

Matt

 

Hi matt, i understand you need to find out, but seriously, i found out from licensepal before here. thats bad news.

 

we know you need to sort it out, but your first course of action should be to get an email out at the least to each and every license holder and resellers of licenses.

 

In this way we can all shut down the installations until we know whats going on. Obviously this is a pain for us, but better that than the alternative wouldnt you say?

[Twam]

Yes it seems everyone is still getting the SSL error as again i tried on multiple PCs

[Andrew-FH]

erm sorry guys, but did i just hit a hard stone,

 

look at this image :- http://i.imgur.com/aezT8.png posted on Josh's twitter, they took down papajohns pizza a few hours ago too

 

look at the bottom of the image, downloaded files in chrome, our WHMCS database,

[bear]

Security is no one thing, and there are many ways to get caught out. something I'd put into practice long ago was that if I need to provide access to any server, give the least amount of access needed to take care of what needs to be done. If it's FTP don't hand out CP access, create an account, and remove it as soon as the work is done. Easy enough to make a new one.

 

If it's elevated access (Cpanel or above), they get the access info, and as soon as it's done the password is changed. They are long and complex, and changed often. By using that method without fail, something like this has far less impact. Something to consider.

 

<tin_foil_hat>

Based on that, the only thing I'm still concerned about is CC and my info, and if WHMCS has a way of accessing my installation that we're unaware of. I don't know of one and have no evidence whatsoever they do, but that doesn't mean it's impossible it exists.

</tin_foil_hat>

[disgruntled]

I can't get into my client area to change my password details. I get a security error. Is anyone else getting this?

 

 

None of us can, but thats a good thing because that means neither can any wouldbe hackers.

 

Be patient they are having to reinstall the whole server, hopefully this wont take much longer. I suspect the SSL cert thats not right will be the last thing they sort out so that we can get in when they know its secured.

[bear]

look at the bottom of the image, downloaded files in chrome, our WHMCS database,

Though disconcerting, any file could have that name.

[Andrew-FH]

Though disconcerting, any file could have that name.

 

i know it can be a forged or mocked up screenshot too, but it's posted at wht too and seems legit, who would drain so much brain on proving to have a database downloaded, except the hackers,

[disgruntled]

erm sorry guys, but did i just hit a hard stone,

 

look at this image :- http://i.imgur.com/aezT8.png posted on Josh's twitter, they took down papajohns pizza a few hours ago too

 

look at the bottom of the image, downloaded files in chrome, our WHMCS database,

 

We are aware of this and there are things we need to do, cancel any cards used at WHMCS, change the login details here at whmcs, also any servers that may have been worked on by whmcs staff that have not already had the password changed will need to be changed immediately.

 

For those that have had the misfortune of hitting the website they directed whmcs to you will need to run a full system scan on your computer and possibly any servers you accessed since depending on teh results of the scan.

 

Priority now is your clients. Get them safe at all costs. then your cards then here at whmcs

[disgruntled]

Though disconcerting, any file could have that name.

 

 

true true, but air with caution and assume they HAVE, done assume otherwise until WHMCS state otherwise.

[Twam]

Seems Cloudflare has shut the hacker sites offline, well disabled access to it.

[bear]

it's posted at wht too and seems legit

That doesn't add any legitimacy, as it's the same image link posted to the same Twitter. I'm not saying it's nothing to be concerned about, but it's not really proof.

For those that have had the misfortune of hitting the website they directed whmcs to you will need to run a full system scan on your computer and possibly any servers you accessed since depending on teh results of the scan.

My AV complained and wouldn't load it at all, not even the favicon. >hugs ESET<

[Andrew-FH]

Seems Cloudflare has shut the hacker sites offline, well disabled access to it.

 

where does this fly in from ?