ExsysHost Posted May 22, 2012 Share Posted May 22, 2012 (edited) I am too, it is sad really because I requested they provide me with an SSH public key in the past so they could have access but they refused and requested that I enable password authentication in openssh and provide them with the password.... All of this could have been prevented... social engineering attack, 0 day exploit on running services, sql injection attack... all would be rendered useless if they followed the guide above... and to be PCI complaint they have to follow the guide above plus a whole lot more, so it will definitely be interesting to see why our information was being stored on a non PCI complaint system. P.S. THe FBI being contacted is BS... I believe it was Host Gator who told WHMCS this... but if they actually had the FBI Cyber Crimes Task Force would have had the links to the DB dumps taken down immediately. Seems to me it was delayed due to Host Gator Realizing the links were hosted with them. Edited May 22, 2012 by ExsysHost Link to comment Share on other sites More sharing options...
XN-Matt Posted May 22, 2012 Share Posted May 22, 2012 5) I know this was social engineering attack but lets face it if you didnt give your server passwords to Host Gator they couldnt of logged in or reset them unless you are on HG shared hosting? If it was managed, they probably had access to the server already. Many providers who offer management, don't give root details to the end user, ergo, they (the management co) have full access. Matt Link to comment Share on other sites More sharing options...
Twam Posted May 22, 2012 Share Posted May 22, 2012 I don't believe WHMCS is hosted with HostGator, i think someone has mis read something in the recent replies. One of the Hackers websites was hosted with HostGator not WHMCS. Link to comment Share on other sites More sharing options...
XN-Matt Posted May 22, 2012 Share Posted May 22, 2012 No, they are. $ host whmcs.com whmcs.com has address 50.116.115.104 NetRange: 50.116.64.0 - 50.116.127.255 CIDR: 50.116.64.0/18 OriginAS: NetName: HGBLOCK-3 Link to comment Share on other sites More sharing options...
merlinpa1969 Posted May 22, 2012 Share Posted May 22, 2012 If it hits my CC account while it's frozen there'll be problems for me, which will then be transferred as much larger problems for them, since I've asked them in a ticket to remove the card from their system. remove it yourself, I went in and changed my cc details to Visa 4111111111111111 Link to comment Share on other sites More sharing options...
Si Posted May 22, 2012 Share Posted May 22, 2012 (edited) To all those thinking/threatening to leave WHMCS: A man went for a job on a days trial on a building site and was asked to drive an expensive dumper from one side of the site to the other. Keen to impress, he decided to take a short cut so that he could get the dumper to his boss in double quick time. On his way over a narrow track, the dumper tipped over an destroyed a wall which had taken weeks to complete and he wrote off the dumper. No-one was hurt, but it did cause a lot of inconvenience and expense. The man on the days trial was devastated. He had blown it. At the end of the day, the boss of the site shocked everyone by taking the man on, on a permanent contract. The men were shocked. The manager of the site asked his boss, "what on earth do you think you're doing hiring someone like that?". The boss replied, "I could hire someone else tomorrow, and the same thing could happen to them. The one thing I know about this man, is, that what happened today will never happen again." ================= I've been in this business a loooong time. Through perlbill, through modernbill, and the one thing I know is that WHMCS is responsible for my business" success. There is an ethos about WHMCS which is seriously lacking anywhere else. Keep the faith Matt. Si Edited May 22, 2012 by Si Link to comment Share on other sites More sharing options...
twhiting9275 Posted May 22, 2012 Share Posted May 22, 2012 If it was managed, they probably had access to the server already. Many providers who offer management, don't give root details to the end user, ergo, they (the management co) have full access. from their 'host' COMPLETE Control with Root Access Meaning this could all have been prevented had proper security measures been in place on the server side. There is an ethos about WHMCS which is seriously lacking anywhere else. There's also a blatant disregard for customer service, customer security, industry best practices, industry standards... You can keep your ethos, I'll take the reality check here. This isn't the first, second, or even third time WHMCS has been hit with some sort of a security vulnerability here. Continually spitting in the face of standards is unacceptable I've been through a lot of the same billing clients myself. Perlbill? What a joke. Modernbill? Yeah, ok... Irregardless of the software, in my 10 years in this industry, I cannot say that I've seen one company spit in the face of their customers so many times. I can't say that I've seen one single company hacked so many times due to their own blatant flaws. Wake up, it's time to move forward. WHMCS either needs to pack it in, or prove that they're going to actually stop being cheap and focus on security here, because this just shows that they clearly haven't been. Link to comment Share on other sites More sharing options...
ExsysHost Posted May 22, 2012 Share Posted May 22, 2012 (edited) Yes Matt but you missed my point if they were hosted in a real data center not a bargain datacenter there is safeguards for this type of thing... also like I pointed out if they were using passwords it is not a PCI complaint server and therefor should not have had our card data stored on it. That would have been WHMCS responsibility to ensure, you cant pass the buck on to host gator in this regard. and finally if they are using a 3rd party server management company which specilizes in security, they would have known this... and because it would be impossible for said attacker to know who the 3rd party management company was, it would be impossible for them to perform a social engineering attack and they definitely would not give away the SSH keys to a person who was impersonating WHMCS staff. Just FYI this stuff is taken very seriously here is VISA's policies needs to take place now that our data has been compromised and I am sure they are going to want to know why the system was not kept up to PCI Compliance Standards http://usa.visa.com/merchants/risk_management/cisp_if_compromised.html . Edited May 22, 2012 by ExsysHost Link to comment Share on other sites More sharing options...
ExsysHost Posted May 22, 2012 Share Posted May 22, 2012 from their 'host' This isn't the first, second, or even third time WHMCS has been hit with some sort of a security vulnerability here. Continually spitting in the face of standards is unacceptable I've been through a lot of the same billing clients myself. Perlbill? What a joke. Modernbill? Yeah, ok... Irregardless of the software, in my 10 years in this industry, I cannot say that I've seen one company spit in the face of their customers so many times. I can't say that I've seen one single company hacked so many times due to their own blatant flaws. Wake up, it's time to move forward. WHMCS either needs to pack it in, or prove that they're going to actually stop being cheap and focus on security here, because this just shows that they clearly haven't been. I agree, they need to take the stance that invision power services did when their forum software was constantly hacked... higher security firm to manage their servers and hire an application security firm to perform code audits. Link to comment Share on other sites More sharing options...
Blueberry3.14 Posted May 22, 2012 Share Posted May 22, 2012 I am too, it is sad really because I requested they provide me with an SSH public key in the past so they could have access but they refused and requested that I enable password authentication in openssh and provide them with the password.... All of this could have been prevented... social engineering attack, 0 day exploit on running services, sql injection attack... all would be rendered useless if they followed the guide above... and to be PCI complaint they have to follow the guide above plus a whole lot more, so it will definitely be interesting to see why our information was being stored on a non PCI complaint system. Just because a system is PCI Compliant (and I'm assuming WHMCS' was until I see substantiated proof otherwise) doesn't mean that a human being can't access it. In this case, the human being that accessed it pretended to be Matt, and another human being (whatever idiot working for HG) allowed the imposter to access the account. It's got nothing whatsoever to do with PCI. Now I've never been in the "The sun rises and sets on Matt and WHMCS" camp, but my company has used it since 2006 and this is the first breach of this type (if my memory serves....if I'm wrong please correct me). That's a record even gigantic corporations (who you expect rock solid security from) can't match. Does that mean I've always agreed with every decision regarding security? Hardly. But by and large the WHMCS has done a good job and Matt today has stayed in communication, posting updates to this forum and the blog, and emailing all customers when there was enough information. There's always room for improvement, but having been through this with enough vendors and service providers...I've seen much worse in this type of crisis. P.S. THe FBI being contacted is BS... I believe it was Host Gator who told WHMCS this... but if they actually had the FBI Cyber Crimes Task Force would have had the links to the DB dumps taken down immediately. Seems to me it was delayed due to Host Gator Realizing the links were hosted with them. That, sadly, I'm leaning towards agreeing with you on. http://whmcs.ugnazi.com is still live and hosted by CloudFlare and HostGator some 12 (24?) hours later. THAT concerns me more than anything WHMCS has done or not done. Link to comment Share on other sites More sharing options...
Twam Posted May 22, 2012 Share Posted May 22, 2012 Your right i stand corrected, i looked up the IP of the forum which differs from the main site. Kinda shocked to be honest, i would presume that they would be with a more creditable host. Link to comment Share on other sites More sharing options...
awardle Posted May 22, 2012 Share Posted May 22, 2012 Has anyone started sending emails out to their hosting customers? From what I have seen in the database it's just our credit card information which is affected and not our actual installs? I'm guessing this will hit general public news sites like bbc etc in a few hours. However it still not certain how they hacked in to http://www.whmcs.com Link to comment Share on other sites More sharing options...
twhiting9275 Posted May 22, 2012 Share Posted May 22, 2012 also like I pointed out if they were using passwords it is not a PCI complaint server and therefor should not have had our card data stored on it. Having been through a number of PCI audits (quarterly, etc) with both myself and various clients, this is not correct. Even some of the most 'harsh' scanning companies don't care about password authentication, for carts (I do actually do things for one or two of them), or for individual clients. The levels for the two are definitely different. Keep in mind that different companies have different requirements and regulations with regards to PCI scanning and passing it. This is the major reason right now that it's a joke, there are no set and defined standards... That said, a system like WHMCS should be absolutely using military grade security. Yeah, I said it, military grade. You're big enough, time to start cracking there. Link to comment Share on other sites More sharing options...
Twam Posted May 22, 2012 Share Posted May 22, 2012 Has anyone started sending emails out to their hosting customers? From what I have seen in the database it's just our credit card information which is affected and not our actual installs? I'm guessing this will hit general public news sites like bbc etc in a few hours. However it still not certain how they hacked in to http://www.whmcs.com It wasn't really a hack, the intruders social engineered their way in. Gaining the log in information from WHMCS's host and not exploiting any type of vulnerability within the WHMCS software. Link to comment Share on other sites More sharing options...
Blueberry3.14 Posted May 22, 2012 Share Posted May 22, 2012 This isn't the first, second, or even third time WHMCS has been hit with some sort of a security vulnerability here. There have been, and always will be, vulnerabilities found, as with any software. WHMCS has always been very quick to post a patch and/or security release. This is the first time their own site/database has been compromised. Link to comment Share on other sites More sharing options...
Blueberry3.14 Posted May 22, 2012 Share Posted May 22, 2012 It wasn't really a hack, the intruders social engineered their way in. Gaining the log in information from WHMCS's host and not exploiting any type of vulnerability within the WHMCS software. Exactly. Totally different topic: I find it interesting the number of posters in this thread who have 1-4 posts.... Link to comment Share on other sites More sharing options...
merlinpa1969 Posted May 22, 2012 Share Posted May 22, 2012 Has anyone started sending emails out to their hosting customers? From what I have seen in the database it's just our credit card information which is affected and not our actual installs? I'm guessing this will hit general public news sites like bbc etc in a few hours. However it still not certain how they hacked in to http://www.whmcs.com Your site is fine, it was the whmcs server that was hacked not your site. and Matt has explained how the server was hacked Link to comment Share on other sites More sharing options...
twhiting9275 Posted May 22, 2012 Share Posted May 22, 2012 This is the first time their own site/database has been compromised. Wrong Link to comment Share on other sites More sharing options...
ExsysHost Posted May 22, 2012 Share Posted May 22, 2012 Just because a system is PCI Compliant (and I'm assuming WHMCS' was until I see substantiated proof otherwise) doesn't mean that a human being can't access it. In this case, the human being that accessed it pretended to be Matt, and another human being (whatever idiot working for HG) allowed the imposter to access the account. It's got nothing whatsoever to do with PCI. You are mis reading what I wrote.. I did not state that the attack had to do with non PCI compliance but WHMCS themselves has admitted to using passwords not public key authentication... I was just adding on to my statement that it will be interesting to see what WHMCS has to say about our cards being hosted on a non PCI compliant server which is against VISA and Mastercard policies... it didnt really have anything to do with how the attack occurred Here is VISA policies regarding this attack and WHMCS will have to answer up to us and to them of why our cards were stored on a non PCI compliant system. http://usa.visa.com/merchants/risk_management/cisp_if_compromised.html Also here is your proof you requested http://forum.whmcs.com/showthread.php?t=47660 they could not have requested the private key if it was used as that is not part of any forgot password system To add like one of my earlier posts stated if they had been using a 3rd party server management company that specializes in security... a social engineering attack would not have worked because they would have no way of knowing which 3rd party company did the management so they could not call them on the phone or write them an email. Link to comment Share on other sites More sharing options...
awardle Posted May 22, 2012 Share Posted May 22, 2012 Your site is fine, it was the whmcs server that was hacked not your site. and Matt has explained how the server was hacked Yep, I know that my site is fine but I am thinking about our customers if this hits the big news sites such as BBC they are going to see WHMCS hacked and most likely put together the wrong conclusion that our hosting billing has been hacked when it has not. I think it will make sense that I draft something and send it out to my customers, I guess its better to let them know clearly that we are not affected, just whmcs.com Link to comment Share on other sites More sharing options...
Blueberry3.14 Posted May 22, 2012 Share Posted May 22, 2012 Having been through a number of PCI audits (quarterly, etc) with both myself and various clients, this is not correct. Even some of the most 'harsh' scanning companies don't care about password authentication, for carts (I do actually do things for one or two of them), or for individual clients. The levels for the two are definitely different. Keep in mind that different companies have different requirements and regulations with regards to PCI scanning and passing it. This is the major reason right now that it's a joke, there are no set and defined standards... Agreed. I've had to request "overrides" for some of the stupidest things that the PCI scanner complained about. robots.txt, .htaccess, and yet they never said boo over SSH passwords (which we used up until a few years ago). Maybe because the SSH port was moved to a different port #, and the PCI scanner wasn't smart enough to figure that out? That said, a system like WHMCS should be absolutely using military grade security. Yeah, I said it, military grade. You're big enough, time to start cracking there. I was glad to read that Matt intends to change hosts, ASAP. Link to comment Share on other sites More sharing options...
striddy Posted May 22, 2012 Share Posted May 22, 2012 if they were hosted in a real data center not a bargain datacenter Do you realize that all Hostgator servers are physically located at the Softlayer "real data centers" ? Link to comment Share on other sites More sharing options...
ExsysHost Posted May 22, 2012 Share Posted May 22, 2012 Agreed. I've had to request "overrides" for some of the stupidest things that the PCI scanner complained about. robots.txt, .htaccess, and yet they never said boo over SSH passwords (which we used up until a few years ago). Maybe because the SSH port was moved to a different port #, and the PCI scanner wasn't smart enough to figure that out? I was glad to read that Matt intends to change hosts, ASAP. This is correct many scanners are not capable of figuring it out on other ports but they do alert you that other port is open, they just dont detect it as ssh so they cannot perform the password check. Link to comment Share on other sites More sharing options...
mpkossen Posted May 22, 2012 Share Posted May 22, 2012 First of all I'd like to wish Matt and the guys the best of luck during this hard time; irregardless of how it happened, it's never fun to have your business touched like this. About the situation: I have to assume that credit card details are stored encrypted, but decryptable. Otherwise recurring payments couldn't be made. You need the credit card details for that. Based on that assumption, I also have to assume that all credit card numbers will eventually be decrypted and possibly sold/used. So my advice is: cancel you credit card (and start paying with PayPal!). I'm unsure how passwords are stored, but if it's plain md5, most of them will be decryptable by now. If it's salted md5 or sha1 (salted or not), I'm seeing less trouble. I've already changed my password, though, just to make sure. About the hosting provider: I hope they're finished or at least hit hard by this. It's absolutely unacceptable for a hosting company to let this happen. It is *always* fishy if an administrator cannot find their details and can't recover them from the client area. It's even more suspicious if shortly after giving access, the e-mail address is changed and the login details sent. Hosting companies should be so much more careful with this. Finally, I'd like to keep getting updates on this. Clear customer communication is extremely important in cases like this. So I really hope the current way of communication is set forth or even improved (more details!). Link to comment Share on other sites More sharing options...
ExsysHost Posted May 22, 2012 Share Posted May 22, 2012 Do you realize that all Hostgator servers are physically located at the Softlayer "real data centers" ? I dont think this is true... hostgator has been around much longer than softlayer... I have been with them sSL since they opened. they might have some servers there... but my point was that a softlayer server is self managed and WHMCS would then hire a 3rd party security firm to manage the server and this would have never happend because again the attacker wouldnt know the name of the 3rd party to call on the phone to request SSH key access Link to comment Share on other sites More sharing options...
Recommended Posts