Where's My/Your/Our Credit?

[wsd]

Is this a kindergarten lol, or is it just greed that comes up in people.

 

I have not seen a SLA from WHMCS that promises 99.999% uptime, and in the two years I have used whmcs.com and forum.whmcs.com is the first time I experienced that there is downtime, so take just a relax and enjoy that WHMCS has now updated the forum to vBulletin ® Version 4.2.0

 

And if you need a little joy, then you can enjoy that it was not you who was hacked.

 

And I would assume that Matt knows what security is, in all aspects.

 

You can not keep the thief out, the only thing you can do is make it so complicated that they do not bother, but if they wishes to enter then they come also

[easyhosting]

When you type WHMCS in to Google, the 4th result is this...

 

http://krebsonsecurity.com/2012/05/whmcs-breach-may-be-only-tip-of-the-trouble/

 

http://www.theregister.co.uk/2012/05/22/whmcs_breach/

 

Some of you probably read it already but there's a lot more info on there than what we have been told.

 

Daniel, I still disagree you need more than 1 account to run a business. If your bank is any good then your business account should be covered for any emergencies that come up without you having to create multiple accounts. Do you think more businesses have more than 1 account than not? I think not. You sound like a total jumped up troll trying to belittle people cos of their concerns over the hack of WHMCS. Who cares how many accounts you have, it's the personal details side that most of us are mad about being released. Why should we be creating multiple accounts for the incompetence of businesses like this one? Imagine your 3 accounts were stored in the poor manner that WHMCS stores your details, all 3 would be taken over in seconds creating 3 times as much annoyance.

 

Those on here who try to defend the shambles that WHMCS has allowed a hacker to create with such terrible security and hiding the truth stinks. Half of them will be WHMCS fanboys who think WHMCS can't do wrong or are on the payroll. Google WHMCS hacked and you'll find out so much more than what's been disclosed on here... as much as WHMCS works and does what I need, I'm looking for a better solution cos clearly WHMCS is inherently flawed from the source to the management.

 

I have to agree. I have been in business 11 years with 1 business account ( 1 DC and 1 cheque book) and have had no issues i have once had to have my card replaced and this was done within 24 hours. only this year i have gained a Paypal pre pay card for my business account.

[easyhosting]

 

I have not seen a SLA from WHMCS that promises 99.999% uptime

 

An SLA is for web hosts, so as WHMCS is not a webhost and no one is hosted with them then they wont have an SLA.

 

now WHMCS would be able to claim under an SLA with their host ( hostgator) but as all installations were up anyway, just that some users had licencing validation issues meaning they could not get access to their admin area

[ivaserver]

Ninak asked

 

 

 

so i broke down his comments with appropriate and correct answers.

 

this is not brown nosing this is replying to a question asked on a public forum.

 

You seem very calm about this whole issue.

Have you informed all your customers yet that their details (address, phone, email etc.) are stored in whmcs software that has recenty been compromised?

[wsd]

An SLA is for web hosts, so as WHMCS is not a webhost and no one is hosted with them then they wont have an SLA.

 

now WHMCS would be able to claim under an SLA with their host ( hostgator) but as all installations were up anyway, just that some users had licencing validation issues meaning they could not get access to their admin area

 

http://en.wikipedia.org/wiki/Service-level_agreement

[Damo]

You seem very calm about this whole issue.

Have you informed all your customers yet that their details (address, phone, email etc.) are stored in whmcs software that has recenty been compromised?

 

What?! It was WHMCS' own installation of WHMCS that was compromised - that means it is only WHMCS customers details (i.e. you as a web host using WHMCS) and not your clients details. Your clients details are stored in your own installation of WHMCS so telling your own clients that their details were compromised is just not correct.

[easyhosting]

You seem very calm about this whole issue.

Have you informed all your customers yet that their details (address, phone, email etc.) are stored in whmcs software that has recenty been compromised?

individual installations WERE NOT compromised. the only information that was compromised is what were placed in support tickets to WHMCS or CC details used to pay invoices with WHMCS.com.

 

yes i kept all my clients fully informed and actually had 12 cancel requests as soon as the DB was made public, but after calming clients and explaining the fully situation these requests were withdrawn.

 

Yes was annoyed at the time, but no good getting worked up about it and giving yourself a heart attack over it. nothing you can do about it apart from following the advice to lock down your servers and logins.

Edited May 27, 2012 by easyhosting

[ivaserver]

I am pleased you got the email warning and acted quickly to secure.

I unfortunately did not get the warning email as it was blocked as spam (RBL listed at the time)

Now I wonder if my installation has been hacked becuase of what was stored on whmcs support database.

I do not allow customers to store credit card details on my servers, they are simply not secure enough and of course visa rules.

 

 

P.S. You need to check: niceday site, I am getting a security warning on malwarebite.

Edited May 27, 2012 by ivaserver

[Stream101]

Now, there's some marketing trivia that would be interesting/amusing...

Those requesting a Refund or similar must state their Country of origin. lol.

 

I like that idea. Keep in mind I live in America folks lol!

[easyhosting]

I am pleased you got the email warning and acted quickly to secure.

I unfortunately did not get the warning email as it was blocked as spam (RBL listed at the time)

Now I wonder if my installation has been hacked becuase of what was stored on whmcs support database.

I do not allow customers to store credit card details on my servers, they are simply not secure enough and of course visa rules.

 

 

fuming!

 

 

no you own installation will be safe. just follow http://blog.whmcs.com/?t=47723 to lock down your server. the only thing that was within the stolen DB was support tickets you have opened with WHMCS along with any login details you have given WHMCS in support tickets and any CC numbers you have used to pay WHMCS with. It is just further security to change your WHMCS sub domain and if possible IP of installation. also changing all passwords and emails ever used to give details to WHMCS.

But your own client details have not been compromised.

[Stream101]

I am pleased you got the email warning and acted quickly to secure.

I unfortunately did not get the warning email as it was blocked as spam (RBL listed at the time)

Now I wonder if my installation has been hacked becuase of what was stored on whmcs support database.

I do not allow customers to store credit card details on my servers, they are simply not secure enough and of course visa rules.

 

 

fuming!

 

If your worried about your site being hacked, change your passwords like Matt said in the original email. My passwords rotate at least every 7 days and no 2 servers have the same root password.

 

Although I trust WHMCS with my details, I change the password to the same password each time I have someone do remote support, then I change it back.

[ivaserver]

no you own installation will be safe. just follow http://blog.whmcs.com/?t=47723 to lock down your server. the only thing that was within the stolen DB was support tickets you have opened with WHMCS along with any login details you have given WHMCS in support tickets and any CC numbers you have used to pay WHMCS with. It is just further security to change your WHMCS sub domain and if possible IP of installation. also changing all passwords and emails ever used to give details to WHMCS.

But your own client details have not been compromised.

 

Its whats stored in the whmcs helpdesk data that scares me.

 

P.S. You need to check: niceday site, I am getting a security warning on malwarebite.

[ivaserver]

If your worried about your site being hacked, change your passwords like Matt said in the original email. My passwords rotate at least every 7 days and no 2 servers have the same root password.

 

Although I trust WHMCS with my details, I change the password to the same password each time I have someone do remote support, then I change it back.

 

 

Thanks

 

I have changed all login details now.

[easyhosting]

I change the password to the same password each time I have someone do remote support, then I change it back.

The best thing to do if WHMCS need access to your installation is to just creat a separate admin login for WHMCS ( then your own is not given) and then when they are finished just delete the temp user.

 

I only trust 2 others access to my WHMCS installation and 1 of them is WHMCS ( i wont say who the other is) anyone else asking for access to work on mods etc, will not be given access.

[easyhosting]

 

P.S. You need to check: niceday site, I am getting a security warning on malwarebite.

 

PM me what warning message so i can look as all my sites/local files are checked constantly by malwarebyte and Kaspersky

Edited May 27, 2012 by easyhosting

[ninak]

Only the WHMCS site/services were down, your WHMCS installation is hosted on your own server, so unless your own server went down (nothing to do with WHMCS) then your sites was up

 

 

 

Yes this is correct

 

 

The only issue was when some users ignored MATTS initial update and tried to update/reissue licences when the licencing server was down, so these could not be validated, so meant some users could not access their admin area, but their sites/clientareas were still up.

 

I know all of that. Perhaps I worded it wrong but I was trying to make people see that if their site was down, it was not WHMCS but something on their end.

[easyhosting]

using virustotal.com it shows no problems with my site

 

URL Scanner Result

Antiy-AVL Clean site

Avira Clean site

BitDefender Clean site

CLEAN MX Clean site

G-Data Clean site

Google Safebrowsing Clean site

K7AntiVirus Clean site

Malc0de Database Clean site

MalwareDomainList Clean site

MalwarePatrol Clean site

Minotaur Clean site

Opera Clean site

ParetoLogic Clean site

Phishtank Clean site

SCUMWARE.org Clean site

SpyEyeTracker Clean site

VX Vault Clean site

Websense ThreatSeeker Clean site

Yandex Safebrowsing Clean site

ZDB Zeus Clean site

ZeusTracker Clean site

zvelo Clean site

[easyhosting]

I know all of that. Perhaps I worded it wrong but I was trying to make people see that if their site was down, it was not WHMCS but something on their end.

 

yes I was aware of that, i just answerred your questions and mentioned that the only real issue between WHMCS and WHMCS installations was a licence validation issue which we never suffered

[Iceman]

I like that idea. Keep in mind I live in America folks lol!

 

LOL... I thought that may have been the case.

 

I'm from a country that's full of convicts... so maybe here we're a little more forgiving. : )

 

 

 

EDIT: What's up with the smilies not working???

[VicToMeyeZR]

The only real thing I am upset about, is their OWN site isn't PCI-compliant. Everything else, is just water under the bridge at this point.

[irh]

Exactly what Valuable data was lost?

 

My Password and credit card. Enough?

 

The notification email was sent out about 8 hours after the event occurred, while constantly being ddos's and attempting to restore the site from backups. Less than 24 hours is pretty acceptable when you look at the scope of things.

 

Any secure host will have equipment to mitigate DoS and DDoS attacks. Purely WHMCS managers' fault to fail host in proper environment.

[mylove4life]

If you think that's true, then you have no idea what you are talking about..

 

Any secure host will have equipment to mitigate DoS and DDoS attacks. Purely WHMCS managers' fault to fail host in proper environment.

[Raven]

I think people are forgetting the main issue here WHMCS wasnt hacked in that sense it was accessed through a con and if you need to point the finger at anyone it was the hostgator technition that said "oh yes heres the info you need" Also complacency with the internet has set in... It wasnt to long ago that Sony was hacked and all cc info was leaked. The answer to this is clear Do Not Click The Remember My Card Details Button. As far as compensation goes come on at around 15 to 18 bux a month 12 to 15 gbp is it even worth wasting the electricity to ask for it. Matt and WHMCS were victims you wouldnt ask a crash victim for compensation cos they got blood on your nike. Just my little bit i guess yes I was shocked and a bit disapointed if im honest but No One is 100% hack proof or safe

[stubert10]

No i think your ALL MISSING THE POINT.

 

It doesnt matter HOW someone got into the system and took details...... It's the fact they were STORING CREDIT CARD INFORMATION. I mean how STUPID can you get?

 

I agree with some sort of compensation and technicially there is no reason why a class action could not take place as ALL my personal I.D. details are out there in the WWW for all to see.