Hacked 5.2.7 - Not sure what the extent is...

[EuroTimmy]

I have fallen foul to the v5.2.7 hack publicly listed a few days ago.

 

I have found a new client and it's modified profile using the 'AES_ENCRYPT' script in the logs.

Following this there are a series of entries saying "Added New Download - 1" and "Deleted Download (ID:1)"... there are 5 of each of these.

This happened all within the space of 7 minutes (according to 'Utilities' - 'Logs' - 'Activity Log').

 

I have since:

-changed the new user status to 'Closed'

-upgraded to v5.2.8

-changed the admin password

 

Can anybody advise me what I need to do next or what to look for now to see what the extent of the breach is?

[penguin]

Are you able to provide more specific details of the logs? I'm going to take a guess that they have uploaded a shell script to your site and therefore if this is still in place they may have access to your website still, regardless of the WHMCS details being changed. Take a look at the website access logs as well as this will provide you with some additional details over what you are seeing logged in WHMCS.

[WHMCS John]

Hi,

Looking at that it appears you have unfortunately been a victim of a vulnerability that was identified in the WHMCS software last week. Please accept my sincerest apologies for that.

As soon as we become aware of the issue an update was published, all customers emailed and notices posted on our blog and social media.

 

To mitigate against these effects I recommend restoring your most recent database backup from before the compromise. Then upgrade to the latest version of WHMCS v5.1.10 or 5.2.8 to protect against this vulnerability: http://blog.whmcs.com/?t=79427

Finally, as a precaution I recommend resetting client and server passwords, as well as the password of any third parties in WHMCS (such as payment gateways and domain registrars).

[penguin]

Sorry - I have to object to this advice as if this has had anything added to the downloads then it requires a more thorough check than just the database restoring, As mentioned, if a shall script has been uploaded for example then they may have gained full access to the hosting account and it may well still be in place as well, therefore restoring the database and updating passwords will not prevent further access. I think you need to acknowledge the seriousness of this exploit and what it enables people to do to an installation. It's bad enough that it was in place, however please don't be complacent with the advice that you are giving people.

 

EuroTimmy, if you're worried about the condition of your installation and you want any assistance, I'll happily provide you with our server management services at no cost to thoroughly check your installation so that you know what has been affected.