WHMCS.com Hacked?

[AndyJ]

I don't doubt the hacks valid, however i find it suspect that the next target was "papajohns". Seems more like a scare tactic than anything else.

 

On my own personal note however, I am very disappointed in the poor security practices of WHMCS. For example, Some of the posts were blaming HG for the link, while now that is possible, why is he using an email account that he uses for everything for a secure system like that.

 

That's like using your public email for your bank account, what do you think happens when you hit "forgot my password".

 

On top of that, to ignore usual security flaws in a server is just stupid. Assuming they never bothered, WHMCS could have asked the HG Security team for advise.

 

Sorry, I just hate it when people blame others for their mistakes. Grow up, Take responsibility and resolve it. We can forgive a mistake as long as it doesn't happen again. And if you need help, ask, you have a huge community of people, some of which have college degrees and hundreds of years (plus/minus a few years of exaggeration) of security training and experience.

[disgruntled]

That doesn't add any legitimacy, as it's the same image link posted to the same Twitter. I'm not saying it's nothing to be concerned about, but it's not really proof.

 

My AV complained and wouldn't load it at all, not even the favicon. >hugs ESET<

 

 

Yeah i used to use nod years back, now though im linux based and i dont know if they flavour to linux.

 

It was good though.

 

Good news that the hosts shut that site down. Although i suspect they did all they needed with it.

[disgruntled]

I don't doubt the hacks valid, however i find it suspect that the next target was "papajohns". Seems more like a scare tactic than anything else.

 

On my own personal note however, I am very disappointed in the poor security practices of WHMCS. For example, Some of the posts were blaming HG for the link, while now that is possible, why is he using an email account that he uses for everything for a secure system like that.

 

That's like using your public email for your bank account, what do you think happens when you hit "forgot my password".

 

On top of that, to ignore usual security flaws in a server is just stupid. Assuming they never bothered, WHMCS could have asked the HG Security team for advise.

 

Sorry, I just hate it when people blame others for their mistakes. Grow up, Take responsibility and resolve it. We can forgive a mistake as long as it doesn't happen again. And if you need help, ask, you have a huge community of people, some of which have college degrees and hundreds of years (plus/minus a few years of exaggeration) of security training and experience.

 

 

 

I wouldnt doubt it, i have seen first hand the information they pulled out of my own whmcs installation, believe me its scary as hell you really do not want this to be a legit attack, but its entirely likely

[Twam]

where does this fly in from ?

 

I was looking at the Twitter Tweets and accounts used by them saying WHMCS and all the other sites got hacked / ddos'ed and their twitter accounts seem to lead to a website btu upon viewing the website you get a Cloudflare error.

[UH-Matt]

Guys at the end of the day they almost certainly DID get the database during this hack, of course we need to wait for more official news to flow in, but for now we need to give Matt and his team time to piece it all together, no point discussing if/but/why/when - they probably got all the data already discussed, so you may as well be focusing on your own stuff for now until we hear more from Matt.

[everythingweb]

Well I personally am leaning towards taking these hackers seriously.. http://twitter.com/#!/UG - seem to be an established hacking group.

 

Luckily I stick to using Paypal to avoid situations like this compromising my CC details - I see the SSL is finally working on whmcs.com - time to check if I've sent any FTP details or not

[DaveTheRave]

Tango down http://i.imgur.com/X7U30.png .. <<snipped>>

 

@WHMCS

Would have been nice to have been emailed about this situation rather than having to hear it via a phone call several hours after the fact.

Edited May 21, 2012 by bear
.

[twhiting9275]

I don't doubt the hacks valid, however i find it suspect that the next target was "papajohns". Seems more like a scare tactic than anything else.

Just because the url says papajohns doesn't mean they wanted to hack it. Maybe they wanted some pizza to co-ordinate their hackfest

Since we know they already got access to the server, it's pretty safe to assume those database downloads are in their posession.

[JamieD]

And this is exactly why only a complete idiot would store client card details in their own database. And why the first thing I did when setting up WHMCS was to write my own payment module that didn't store clients card details, even though WHMCS made this extremely difficult to do at first and actually cited PCI compliance as a reason not to open up more action hooks to make this possible.

 

Maybe this will be a lesson learned and the guys will put a higher emphasis on security and implement ALL gateways with tokenised systems that support it.

[Andrew-FH]

Keep an eye on the link below, they are confirm to post it here in next few hours or so

 

http://leakster.net/leaks/

[Twam]

I agree, they didn't show papajohns actually hacked it was just offline. Probably just a DDoS attack to just deny access to it which i don't really count as hacking based on the number of attacks that my network received on a daily basis.

[Pulsar132]

As long as you change your passwords and cancel any card details whmcs have on file you will be fine. If they do "drop" the files in a couple hours as they say they will...

 

UGNazi ‏@UG

@fakudolphin @JoshTheGod @ThaCosmo @le4ky We will drop both Db + files in couple hours. #UGNazi

 

If you've taken the above precautions they can't really do much. Alot of information about a person or company is already readily visible online. If you get any strange visitors, letters or emails just contact your local authorities.

 

Unless WHMCS have some secret backend approach (as others have speculated) built into WHMCS everyone should be ok. Just calm down and let Matt get on with fixing everything. Once he's done that and all scans and such are completed he'll be able to let you know exactually what happened and why.

 

I do agree an email should of been sent out by now, because there is probably 1000's of customers who have no clue and i imagine are not going to be very pleased. Luckily i noticed from the WHMCS twitter feed in my admin panel so passwords and such were changed very quickly.

[Peter-HostNutters]

O Well it happens to us all at one point in life LOL

 

I just need to ask I do not get my licensed from WHMCS its self nor have any info here I get it from PacificHost. But I got a email from them...

 

I don't relay under stand what I am meant to do about it....

Edited May 21, 2012 by Peter-HostNutters

[Pulsar132]

Already offline . Seems hackers like cloudflare!

[DaveTheRave]

Tango Down

/http://i.imgur.com/BGWRp.png

/http://i.imgur.com/X7U30.png

[Twam]

Yeah seems Cloudflare have disabled access to their other site as well.

[ProHostGold]

I've not received an email yet.

[Jameschillman]

Maybe WHMCS will actually attempt to get PA- DSS after this? Or will they just put it off like they have before?

[Peter-HostNutters]

Already offline . Seems hackers like cloudflare!

 

Well when you do not have to pay for the hosting your self and think every thing in life should be free for your taking why would they not...

[Peter M Dodge]

I myself contacted CloudFlare about this, and then passed the details along as best as I could. Hackers use CloudFlare to make it a little more difficult for a power user to determine their ISP, as when you're using CloudFlare you use their nameservers, not the web hosts, and this is commonly how many people identify what webhost you're using. Also the routing path will stop at cloudflare since their machine is the one grabbing your page.

 

However, you can still dig the reverse DNS to find out who they are hosting with.

[Pulsar132]

leakster.net was using 000webhost.com

ns01.000webhost.com

ns02.000webhost.com

 

ugnazi.com was using hostgator

ns3591.hostgator.com

ns3592.hostgator.com

 

I just had a look at archived DNS info.

 

Although not entirely reliable as they could of changed host. But best i could find.

[Peter M Dodge]

At the time of the breach they were using a .. spanish looking host? Not sure what language it was, however, it was server.hfu.cc

 

Hackers often have to rapidly hop hosts as they get reported to their webhosts and shut down. It's common for them, and there's plenty of hosts to jump to.

 

(Anyone know if there's a list out there of clients that jump a lot? WHT used to keep one back in `03 but their search isn't being helpful, and it'd be a good thing to maintain)

[JFOC]

they just released leaked database, etc...8 mins ago

[Matt]

Further update can be found here on what exactly happened: http://forum.whmcs.com/showthread.php?t=47660

 

Matt

[pinarthost]

OMG, they released the WHMCS database, website files and cpanel files! Change your passwords immediately and protect your data the best way you can.

Edited May 22, 2012 by pinarthost