Jump to content

Hacked 5.2.7 - Not sure what the extent is...


Recommended Posts

I have fallen foul to the v5.2.7 hack publicly listed a few days ago.


I have found a new client and it's modified profile using the 'AES_ENCRYPT' script in the logs.

Following this there are a series of entries saying "Added New Download - 1" and "Deleted Download (ID:1)"... there are 5 of each of these.

This happened all within the space of 7 minutes (according to 'Utilities' - 'Logs' - 'Activity Log').


I have since:

-changed the new user status to 'Closed'

-upgraded to v5.2.8

-changed the admin password


Can anybody advise me what I need to do next or what to look for now to see what the extent of the breach is?

Link to comment
Share on other sites

Are you able to provide more specific details of the logs? I'm going to take a guess that they have uploaded a shell script to your site and therefore if this is still in place they may have access to your website still, regardless of the WHMCS details being changed. Take a look at the website access logs as well as this will provide you with some additional details over what you are seeing logged in WHMCS.

Link to comment
Share on other sites

  • WHMCS Support Manager


Looking at that it appears you have unfortunately been a victim of a vulnerability that was identified in the WHMCS software last week. Please accept my sincerest apologies for that.

As soon as we become aware of the issue an update was published, all customers emailed and notices posted on our blog and social media.


To mitigate against these effects I recommend restoring your most recent database backup from before the compromise. Then upgrade to the latest version of WHMCS v5.1.10 or 5.2.8 to protect against this vulnerability: http://blog.whmcs.com/?t=79427

Finally, as a precaution I recommend resetting client and server passwords, as well as the password of any third parties in WHMCS (such as payment gateways and domain registrars).

Link to comment
Share on other sites

Sorry - I have to object to this advice as if this has had anything added to the downloads then it requires a more thorough check than just the database restoring, As mentioned, if a shall script has been uploaded for example then they may have gained full access to the hosting account and it may well still be in place as well, therefore restoring the database and updating passwords will not prevent further access. I think you need to acknowledge the seriousness of this exploit and what it enables people to do to an installation. It's bad enough that it was in place, however please don't be complacent with the advice that you are giving people.


EuroTimmy, if you're worried about the condition of your installation and you want any assistance, I'll happily provide you with our server management services at no cost to thoroughly check your installation so that you know what has been affected.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated