Malicious Script Locate - WHMCS Killer V3

[deathbysnoosnoo]

I found some php files in a customers directory and when executed I see the title of the one program is 'WHMCS Killer V3'. After browsing around it is clear it's intent is to extract every bit of customer data and other malicious things.

 

Has this ever been seen in the wild before? I can take screenshots and provide the code if someone is so inclined to look at it.

Edited March 19, 2013 by deathbysnoosnoo

[openmind]

Which WHMCS version are you running? Were the files located within the WHMCS install?

[WHMCS Chris]

Hello,

 

Please do not post malicious code on these forums. These "WHMCS Killer" scripts are simply database readers. It requires either file system access to the server already, or executing the Apache symlink exploit in which case the server itself has been compromised.

[easyhosting]

I found some php files in a customers directory and when executed I see the title of the one program is 'WHMCS Killer V3'.

 

As Chris states this is a server security issue. first thing is you should not have executed them (especially if on a clients account). this is what we would do

 

1) Temp suspend the customers account ( this locks down the account and can sometimes disable exploits)

2) Change the name of the strange files/folders ( so exploiter cannot access files/folders)

3) contact customer to see if they are aware of these files/folders.

4) if no reply from customer within 24 hours then we will remove the files

 

most genuine clients would contact you within a few hours as soon as they are aware their site is suspended.

 

in your case i would employ a system admin to lock down the security of your server

[WHMCS Chris]

Correct. If you read the initial section of the script for connecting to WHMCS it has two options.

 

Option 1: Enter the database connection details including, hostname, dbname, dbuser, and db pass.

- Obviously, the ability to read configuration.php would be required for this, thus file system access.

 

Option 2: Enter the location of the file that is symlinked to configuration.php

- Exploited through Apache that is not patched for this.

 

 

Ultimately this script is pointless as logging in as an administrator would provide more information than the "killer" script itself.

 

 

Keep Apache secured from symlink exploit, use secure passwords, and don't allow external servers to access port 3306 and theoretically you should be fine.

[bear]

2) Change the name of the strange files/folders ( so exploiter cannot access files/folders)

Rather than change the names, CHMOD to 000 (chmod 000 ./filename) and make them immutable (chattr +i ./filename). This prevents reuploading the same files with the same names as well as access/execution. Suspend and contact.

theoretically you should be fine.

Never a sure thing with servers, you can only layer security, stay proactive and hope.

Ultimately this script is pointless as logging in as an administrator would provide more information than the "killer" script itself.

WHMCS logs accesses, though I believe this script doesn't. That would be one point, not being as easily discovered that you're accessing things.

 

I found some php files in a customers directory

Hosting your billing application on the same server as hosted customers is asking for trouble, to be honest.

What made you look in this customer's directories in the first place?

[WHMCS Chris]

 

WHMCS logs accesses, though I believe this script doesn't. That would be one point, not being as easily discovered that you're accessing things.

 

True. However if they had database access, they could easily wipe the log.