how to filter the base64_decode hacks

[jservices]

Hey guys,

 

I've been trying to use the Spam Filter in WHMCS to stop those annoying base64_decode attacks by using the spam filters. I have added portions of this ({php}eval(base64_decode) in the subject and phrase filters but I am still getting those emails.

 

I have tested this and it works fine when a ticket is created via an email so I can only assume these hack attempts are being generated from the create support ticket page in WHMCS. I have captcha enabled for anyone not logged in so it seems they are getting through that easily enough.

 

Is there any other way to stop these from flooding my support queue? Are any of you guys also receiving a ton of these attacks?

 

Thanks,

Liano

[m8internet]

Is there any other way to stop these from flooding my support queue? Are any of you guys also receiving a ton of these attacks?

Applying the rule to spam within WHMCS makes no difference, as this is not how the code is applied, and the support ticket is the result of the executed action by the person applying the text

 

There are other fixes, but they are quite restrictive

The obvious one is to remove the link to allow anyone to register without actually purchasing anything!

 

Since I applied both of these, I've not had any new registrants / tickets

The IP addresses did make several visits afterwards for several weeks, then they suddenly stopped

[disgruntled]

The obvious one is to remove the link to allow anyone to register without actually purchasing anything!

 

The obvious one is to either patch your installation per the patch circa 12/11 or better yet upgrade to the lastest whmcs.

 

i did read on WHT that there is a way to prevent it from happening in the htaccess, and by prevent it, i mean block the attempt, redirect the twat to a safe directory and virus the crap out of the moron.

 

no no i would never do such an evil and twisted thing ;-P

 

 

Just a thought here, you have patched have you not, please say yes, or are already on a new installation, if you have not your installation is compromised and your administrators need to run and immediate malware/virus/exploit scan, expect to find 6 in the downloads directory (and if it wasnt there before because you moved it, it will be now) and also a few files dotted here and there under the webroot, you will also find 3 or 4 breached files in the templates_c directory, only a scan or visual check will spot them.

 

Im not sure of this because i moved my installation and may have missed them in the move, but my downloads were gone, i had two of these and had to redo them, but the related addons for them still existed.

 

 

Edit again.. i just checked in the backup of the breached installation, the addon download files are not there so they were deleted by the breach

Edited June 4, 2012 by disgruntled

[jservices]

Yes my WHMCS is patched and safe. My post and question was how to stop the continued attempts at hacking the site. I know I am protected against them but it is F***ING annoying to see them fill up my support queue. Do you have a link to that WTH post you can share?