Jump to content

Hacked :(

Jinx13

By Jinx13
in Using WHMCS

 Share

Recommended Posts

Jinx13 Junior Member

Jinx13

Posted
Posted

Hey, I have just been hacked by LiBeRTADoRS

 

Twitter:

@SiRAbdou

&

@LiBeRTADoReSTM

 

My admin folder is still accessable and my templates folder is not affected.

 

I'm struggling to find how/what/where :/

 

Does anyone have any tips?

 

Thank you

0
Link to comment
Share on other sites
WHMCS Chris Senior Member

WHMCS Chris

Posted
Posted

Hello,

 

If your installation isn't *apparently* affected. They most likely uploaded an index.php/html page and updated the htaccess to call to it. I would begin by checking the access & FTP logs for the filename once you isolate it. Then check the server logs for their IP address and trace back to the starting point to ensure they've not done anything else.

 

Also, do a check for any symlinks:

find . -type l -exec ls -lad {} \;

0
Link to comment
Share on other sites
Jinx13 Junior Member

Jinx13

Posted
  • Author
Posted

Thank you, I did check the access logs but all I could find was this however I don't think it's anything

 

66.193.171.233 - - [07/May/2013:08:19:56 -0400] "GET /user/soapCaller.bs HTTP/1.0" 404 - "-" "Morfeus ****************ing Scanner"

 

@WHMCS Chris is that code done via ssh?

 

I checked .htaccess file and also .html files as I don't have many and they seemed fine

0
Link to comment
Share on other sites
brian! Senior Member

brian!

Posted
Posted

I see that your main site shows an "Under Construction" page, but cart.php?gid=1 shows the hacked page...

 

going through their list of hacked sites (checked most but not all), yours seems the only one to use WHMCS - so I don't think they've accessed via a WHMCS exploit... all the domains I checked (apart from yours I think) were hosted at HostDime, so probably some shared hosting hack.

 

looking at the source code, I can't tell whether its been added to the template file, or via the admin/dbatabase.

 

as Chris suggests, checking your logs and files is the most important thing, and then perhaps contact your hosting company.

0
Link to comment
Share on other sites
Jinx13 Junior Member

Jinx13

Posted
  • Author
Posted

The under construction page was just a mask over the top till I've sorted this out.

 

I have checked my template files and all seems fine. Even added my template folders on an internal server on my PC.

 

It seems that it is the database as as soon as I uploaded my database to wamp and opened localhost I had the same hacked page.

 

Still scanning through logs to try find where.

 

I have contacted my host to run the code via ssh

 

Thank you for your help :)

0
Link to comment
Share on other sites
brian! Senior Member

brian!

Posted
Posted
Think I have found it

yep, that code that Chris removed was what I saw when I checked out your site - glad you found it.

 

one further security measure you might want to consider is to encrypt your configuration.php file - as obviously once the hacker got access to your hosting account, he could read this file and access the db... you can use IonCube Online Encoder and costs just GBP£0.25 - i'd be interested to hear from others who have done this.

0
Link to comment
Share on other sites
Jinx13 Junior Member

Jinx13

Posted
  • Author
Posted (edited)

Thank you for the tip, testing the encoded configuration.php now :)

 

I have a problem looks like every man and his dog are accessing my DB :(

Someone just changed my admin details and I've still not found the entry point

 

Although

 

I found this in my access logs

 

[Deleted logs and moved to ticket]

 

 

 

Does anyone know if this could be the issue? Either something in my template or knowledgebase?

 

Thank you

Edited by Jinx13
0
Link to comment
Share on other sites
brian! Senior Member

brian!

Posted
Posted
Thank you for the tip, testing the encoded configuration.php now :)

I have a problem looks like every man and his dog are accessing my DB :(

Someone just changed my admin details and I've still not found the entry point

Does anyone know if this could be the issue? Either something in my template or knowledgebase?

I don't know if you did this, but the first thing I would have done would have been to delete everything in the account, or ideally delete the entire hosting account - then create a new one from scratch with different username, different long passwords, different db name, username and passwords, different admin folder name, install whmcs from scratch... restore the last safe db backup and then install your template (checking it file by file).

with regards to the above logs (which I suspect Chris will delete!), it does seem to signify someone trying to gain access (search google!) - though if you've got the whmcs installation secured, you should be alright... perhaps use should use .htaccess to block such attempts.

0
Link to comment
Share on other sites
Jinx13 Junior Member

Jinx13

Posted
  • Author
Posted
When this happened: http://forum.whmcs.com/showthread.php?68466-WHMCS-Security

 

Did you ever change passwords on anything?

 

Of course :)

 

I don't know if you did this, but the first thing I would have done would have been to delete everything in the account, or ideally delete the entire hosting account - then create a new one from scratch with different username, different long passwords, different db name, username and passwords, different admin folder name, install whmcs from scratch... restore the last safe db backup and then install your template (checking it file by file).

with regards to the above logs (which I suspect Chris will delete!), it does seem to signify someone trying to gain access (search google!) - though if you've got the whmcs installation secured, you should be alright... perhaps use should use .htaccess to block such attempts.

 

I deleted the logs as I have submitted to support. I changed all my passwords after the first attempt.

 

I will say that they never actually accessed my ACP that I know of (I had .htaccess password already)

 

It seems that they have been accessing my configuration.php via the same method and after searching my access logs for "configuration.php" I seen all the attempts that we're made.

 

I have taken the advice from you and encoded configuration.php.

 

It costs 5 credits 25p GBP but you have to buy a minimum of 100 credits for £5.00 Which doesn't break the bank so that's what I did and it works fine :)

 

I would probably recommend it to everyone.

 

Thank you for any help it has been passed to the security team

0
Link to comment
Share on other sites
brian! Senior Member

brian!

Posted
Posted
I deleted the logs as I have submitted to support. I changed all my passwords after the first attempt.

I will say that they never actually accessed my ACP that I know of (I had .htaccess password already)

a thought that occurred to me last night (while watching MOTD!) is whether they would need to anyway - it's just a pretty front-end to the database, and if they could access the db directly to add their code...

 

also, did you have any customer logins in the database (hosting or domain registrar) or cpanel keys?

 

It seems that they have been accessing my configuration.php via the same method and after searching my access logs for "configuration.php" I seen all the attempts that we're made.

I have taken the advice from you and encoded configuration.php.

It costs 5 credits 25p GBP but you have to buy a minimum of 100 credits for £5.00 Which doesn't break the bank so that's what I did and it works fine :)

i'm glad to have been of some help - i'm still very new to WHMCS but happy to share what little I've learned over the last couple of months...

 

the idea of encoding configuration.php was something I found in another thread while researching WHMCS before buying the license - they also mentioned to encode .htaccess as well.

 

as you confirm it works fine, it's something i'll probably do when the time comes to take our site live.

0
Link to comment
Share on other sites
Damo Senior Member

Damo

Posted
Posted

Encoding the file won't really make a difference. All they'd need to do is 'include' the file via php in another script and they have access to all the variables contained in it.

 

If they have access to the file system them it all it does is make it so they can't open and read it in plain view.

0
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated

  I accept