Jump to content

Weird recent client activity


arjanvr

Recommended Posts

Client IP Address Last Access

1 2 212.7.192.139 06/10/2013 08:10

AES_ENCRYPT(1,1), firstname=(SELECT * FROM (SELECT COUNT(id) FROM tblclients) as x) 1 41.141.186.234 05/10/2013 20:12

AES_ENCRYPT(1,1), firstname=(SELECT GROUP_CONCAT(id,0x3a,username,0x3a,email,0x3a,password SEPARATOR 0x2c20) FROM tbladmins) 1 46.246.45.6 04/10/2013 13:33

 

I found this in recent activity. Although I patched to fix the latest bug, should I be worried?

Link to comment
Share on other sites

If you are running 5.2.8 (or 5.1.10) then you should be ok. See the other threads on the AES_ENCRYPT mod_security rule that you should add for extra protection from these attempted attacks. Anyone not upgraded to 5.1.10 or 5.2.8 will most likely get hacked within the next few days so if you haven't done the update, i'd get on with it right away!

Link to comment
Share on other sites

If you are running 5.2.8 (or 5.1.10) then you should be ok. See the other threads on the AES_ENCRYPT mod_security rule that you should add for extra protection from these attempted attacks. Anyone not upgraded to 5.1.10 or 5.2.8 will most likely get hacked within the next few days so if you haven't done the update, i'd get on with it right away!

 

I had already upgraded to 5.2.8. I noticed now they created 3 accounts in my accounts which anyone can do offcourse but they were all inactive. I blocked IPs and closed and deleted accounts.

Link to comment
Share on other sites

It's quite unnerving to find attempted hacks, even though you are covered. Luckily i've not had any attempted hacks yet, i'm not sure how the hackers are finding WHMCS installs to hack. I am using the "unbranded" version, so i'm not sure if that takes me off the radar a little for hackers performing basic google searches for WHMCS installations.

Link to comment
Share on other sites

It's quite unnerving to find attempted hacks, even though you are covered. Luckily i've not had any attempted hacks yet, i'm not sure how the hackers are finding WHMCS installs to hack. I am using the "unbranded" version, so i'm not sure if that takes me off the radar a little for hackers performing basic google searches for WHMCS installations.

 

There's a ton of other ways they can find you. "submitticket.php" is but one. I block Google's indexing of the WHMCS directory, rename the admin directory, but there are always other ways for them to find a WHMCS install.

 

For a while there was a bug in a version of Chrome where if the client clicked on the ticket link instead of immediately going to the link Chrome would send the link to Google first, *then* forward the client onto the page they were requesting. From testing I did and talking to a Chrome Developer, this seemed to only happen to Chrome users who had instant search turned on. This was about 3-4 months ago, so perhaps the bug has been fixed. One can hope.

 

That could possibly explain how some support ticket URLs were ending up in Google searches for a while (not ours but a lot of other hosting companies). I realize we could require clients to login to read tickets, but most of ours are challenged enough to click on a link (yes, I'm serious). I watch the logs (get specific strings sent to me hourly) and give any Chrome users a heads up that they need to just login first.

 

Anyway, my point is there's tons of ways to "Google Dork" for a WHMCS install, even when it's unbranded, though unbranding helps weed out the lazy ones.

Link to comment
Share on other sites

I am using the "unbranded" version, so i'm not sure if that takes me off the radar a little for hackers performing basic google searches for WHMCS installations.

Ever so slightly less likely to find you because of that. Kiddies will search for the branded line, but those looking to grab data for real will simply search for known files using scripts, and later revisit to see what they can do. We've had a lot of recent rapid fire searches in the logs like that.

Link to comment
Share on other sites

Generally that's done with robots.txt and a smart hacker knows to request those also. ;)

They *will* find installs.

 

Yep, they will. As I said

 

Anyway, my point is there's tons of ways to "Google Dork" for a WHMCS install, even when it's unbranded, though unbranding helps weed out the lazy ones.

 

 

 

I believe in taking all reasonable precautions, though.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated