after upgrade 5.2.8 - hackingattempt?

[raeyo]

The day after the upgrade I get a strange "new client notification

 

---------

Client ID: 224 - ffffffff fffffffff has requested to change his/her details as indicated below:

 

First Name: 'ffffffff' to 'AES_ENCRYPT(1,1), firstname=(SELECT GROUP_CONCAT(id,0x3a,username,0x3a,email,0x3a,password SEPARATOR 0x2c20) FROM tbladmins)'

Last Name: 'fffffffff' to '1'

Company Name: 'fffffffffffff' to '1'

Address 1: 'fffffffffff' to '1'

Address 2: 'fffffffffff' to '1'

City: 'ffffffff' to '1'

State: 'ffffffffffffff' to '1'

Postcode: '78541' to '1'

Country: 'BE' to 'US'

Phone Number: '06596496496494' to '1'

Default Payment Method: '' to ''

 

--------------

 

Seems to me something nasty - pls adevice what to do with it (just remove that client?)

[ebmocwen]

This looks like an attempted 'hack' using the vulnerability, if you have applied the 5.2.8 patch then it should have failed as this particular vulnerability is now closed.

[Dicko_md]

I got this today also. I need the 5.2.8 upgrade. I am currently on 5.2.7 but the person I took the whmcs license over has not passed the license over yet and is away on holiday. I got hit by a few new users and then all the first names got changed to disaster. please could someone email me the 5.2.8 update ?

 

thanks in advance

 

martyn

[barco57]

The blog has the link to the incremental, so if your on 5.2.7 already just go to http://go.whmcs.com/218/v528_Incremental

[Dicko_md]

Thanks barco for that. Ive downloaded now. I tried checking yesterday but didnt see that.

 

Is there anything else that I need to update or run to make sure this doesnt happen again or was it just an exploit on 5.2.7 ?

 

Thanks

 

Martyn

[smithereenz]

I woke this morning to 4 new clients with made up emails and with the words "hack" and "Pirate" all created a few hours ago.

 

I applied the 5.2.8 update on the 4th so there must still be an issue. I've removed my register.php page temporarily as this is the entry point... google whmcs 5.2.8 hack, you'll see a listing on a hacking site explaining how to do it.... they also recommend downloading 5.2.8 to do it

 

Submitted a ticket with an many details as possible and currently in the process of downloading raw access logs.

[ebmocwen]

Do you have the mod_security rule in place to block this hack? If so, check your logs, hopefully you will see the hacking attempt and also it's failure. My understanding is that this hack no longer works in 5.2.8 however it doesn't stop the culprits from trying.

[smithereenz]

yes, mod_security rule is in place. Nothing on the basic cPanel raw access logs for the domain so Im now looking at server logs.

 

4 accounts were sitting in WHMCS with unverified email addresses (probably because the addresses were totally made up).

[Dicko_md]

I dont have the mod_security installed and got hacked. im up to 5.2.8. Ive had 4 or 5 more accounts created this morning and I disabled adding more accounts in WHMCS so I guess its from SQL then.

 

any chance of a step by step on how to install this please ?

 

I dont know how to do it via ssh and easyapache Ive never used before.

 

regards

 

martyn

[mech]

The same here, some Accounts modified.

 

06/10/2013 06:39

Client Profile Modified - First Name: 'AES_ENCRYPT(1,1), firstname=(SELECT * FROM (SELECT COUNT(id) FROM tblclients) as x)' to 'AES_ENCRYPT(1,1), firstname=(SELECT GROUP_CONCAT(id,0x3a,username,0x3a,email,0x3a,password SEPARATOR 0x2c20) FROM tbladmins)', Default Payment Method: '' to ''

- User ID: 46

 

i write a Ticket but there is at this moment no response.

 

I dont know what to do now.

[WHMCS John]

Hi,

Provided you see these entries after the patch was applied then the attempt will not have been successful. Someone attempting to use the exploit does NOT inherently mean it was successful. If the time of the attempt was after you applied the patch then the exploit will have failed; at most the attacker would only be able to alter details of their own, dummy, account.

 

You can find more information in our blog: http://blog.whmcs.com/?t=79527

[skoda]

Do you have the mod_security rule in place to block this hack? If so, check your logs, hopefully you will see the hacking attempt and also it's failure. My understanding is that this hack no longer works in 5.2.8 however it doesn't stop the culprits from trying.

 

me also have mode_sec in place. i wonder why it does not detected this sql query.

[skoda]

Do you have the mod_security rule in place to block this hack? If so, check your logs, hopefully you will see the hacking attempt and also it's failure. My understanding is that this hack no longer works in 5.2.8 however it doesn't stop the culprits from trying.

 

me also have mode_sec in place. i wonder why it does not detected this sql query.

but i have whitelisted some rules coz it conflicting with wordpress users.

 

rule ids

981173

981172

981257

981245

981246

981243

950901

981242

981244

 

- - - Updated - - -

 

but now i am thinking to bring all this security rules back and only apply this white listed rule above to wordpress sites insted of server wide.

[skoda]

ohhhhhhhhhhhhhhhc, mode_sec had turned off (i do not now how this happend) for our root domain. damn it.