arjanvr Posted October 6, 2013 Share Posted October 6, 2013 Client IP Address Last Access 1 2 212.7.192.139 06/10/2013 08:10 AES_ENCRYPT(1,1), firstname=(SELECT * FROM (SELECT COUNT(id) FROM tblclients) as x) 1 41.141.186.234 05/10/2013 20:12 AES_ENCRYPT(1,1), firstname=(SELECT GROUP_CONCAT(id,0x3a,username,0x3a,email,0x3a,password SEPARATOR 0x2c20) FROM tbladmins) 1 46.246.45.6 04/10/2013 13:33 I found this in recent activity. Although I patched to fix the latest bug, should I be worried? 0 Quote Link to comment Share on other sites More sharing options...
ebmocwen Posted October 6, 2013 Share Posted October 6, 2013 If you are running 5.2.8 (or 5.1.10) then you should be ok. See the other threads on the AES_ENCRYPT mod_security rule that you should add for extra protection from these attempted attacks. Anyone not upgraded to 5.1.10 or 5.2.8 will most likely get hacked within the next few days so if you haven't done the update, i'd get on with it right away! 0 Quote Link to comment Share on other sites More sharing options...
arjanvr Posted October 6, 2013 Author Share Posted October 6, 2013 If you are running 5.2.8 (or 5.1.10) then you should be ok. See the other threads on the AES_ENCRYPT mod_security rule that you should add for extra protection from these attempted attacks. Anyone not upgraded to 5.1.10 or 5.2.8 will most likely get hacked within the next few days so if you haven't done the update, i'd get on with it right away! I had already upgraded to 5.2.8. I noticed now they created 3 accounts in my accounts which anyone can do offcourse but they were all inactive. I blocked IPs and closed and deleted accounts. 0 Quote Link to comment Share on other sites More sharing options...
ebmocwen Posted October 6, 2013 Share Posted October 6, 2013 It's quite unnerving to find attempted hacks, even though you are covered. Luckily i've not had any attempted hacks yet, i'm not sure how the hackers are finding WHMCS installs to hack. I am using the "unbranded" version, so i'm not sure if that takes me off the radar a little for hackers performing basic google searches for WHMCS installations. 0 Quote Link to comment Share on other sites More sharing options...
Blueberry3.14 Posted October 6, 2013 Share Posted October 6, 2013 It's quite unnerving to find attempted hacks, even though you are covered. Luckily i've not had any attempted hacks yet, i'm not sure how the hackers are finding WHMCS installs to hack. I am using the "unbranded" version, so i'm not sure if that takes me off the radar a little for hackers performing basic google searches for WHMCS installations. There's a ton of other ways they can find you. "submitticket.php" is but one. I block Google's indexing of the WHMCS directory, rename the admin directory, but there are always other ways for them to find a WHMCS install. For a while there was a bug in a version of Chrome where if the client clicked on the ticket link instead of immediately going to the link Chrome would send the link to Google first, *then* forward the client onto the page they were requesting. From testing I did and talking to a Chrome Developer, this seemed to only happen to Chrome users who had instant search turned on. This was about 3-4 months ago, so perhaps the bug has been fixed. One can hope. That could possibly explain how some support ticket URLs were ending up in Google searches for a while (not ours but a lot of other hosting companies). I realize we could require clients to login to read tickets, but most of ours are challenged enough to click on a link (yes, I'm serious). I watch the logs (get specific strings sent to me hourly) and give any Chrome users a heads up that they need to just login first. Anyway, my point is there's tons of ways to "Google Dork" for a WHMCS install, even when it's unbranded, though unbranding helps weed out the lazy ones. 0 Quote Link to comment Share on other sites More sharing options...
bear Posted October 6, 2013 Share Posted October 6, 2013 I am using the "unbranded" version, so i'm not sure if that takes me off the radar a little for hackers performing basic google searches for WHMCS installations. Ever so slightly less likely to find you because of that. Kiddies will search for the branded line, but those looking to grab data for real will simply search for known files using scripts, and later revisit to see what they can do. We've had a lot of recent rapid fire searches in the logs like that. 0 Quote Link to comment Share on other sites More sharing options...
bear Posted October 6, 2013 Share Posted October 6, 2013 There's a ton of other ways they can find you. "submitticket.php" is but one. I block Google's indexing of the WHMCS directory Generally that's done with robots.txt and a smart hacker knows to request those also. They *will* find installs. 0 Quote Link to comment Share on other sites More sharing options...
Blueberry3.14 Posted October 6, 2013 Share Posted October 6, 2013 Generally that's done with robots.txt and a smart hacker knows to request those also. They *will* find installs. Yep, they will. As I said Anyway, my point is there's tons of ways to "Google Dork" for a WHMCS install, even when it's unbranded, though unbranding helps weed out the lazy ones. I believe in taking all reasonable precautions, though. 0 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.