Jump to content

Hacking Incident

WorldWideWebDev

By WorldWideWebDev
in Feedback

 Share

Recommended Posts

  • Replies 58
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Infopro Senior Member

Infopro

Posted
Posted
Hi neilstudy. no i haven't done what you mentioned. Where can i get info about doing that. That seems like one way of locking it up..

 

There's a link to "recommended further security steps" posted in the latest article on the blog:

http://blog.whmcs.com/?t=79527

That link takes you to the WHMCS Documentation:

http://docs.whmcs.com/Further_Security_Steps

0
Link to comment
Share on other sites
epretorious Senior Member

epretorious

Posted
Posted (edited)
Have you tried locking your admin down to ips in the .htaccess file or setting a HTPASSWD to the admin directory.

 

I've restricted access to the WHMCS admin directory from Day #1. It's a nice bit of peace of mind to have.

 

BTW: I highly recommend using MD5 Digest authentication method over Basic Authentication. There used to be a very good tutorial on mod_auth & mod_auth_digest available on the UCB Open Computing Facility Wiki but it's currently unavailable. Try this one from Widexl instead:

 

Basic Authentication allows the use restrict access by looking up users in plain text password files. This is not a really secure password system, because the username and password are sent as plain text true the Internet. And the passwords in the password file are crypt in basic Unix crypt what not so difficult to crack. But it's still the most common password protecting on the internet.

 

MD5 Digest authentication provides a more secure password system than Basic authentication, but only works with supporting browsers.

HTH,

Edited by epretorious
0
Link to comment
Share on other sites
innovot Member

innovot

Posted
Posted
No need to install ha-proxy

 

in .htaccess

 

order deny,allow

deny from all

allow from 1.2.3.4

Excellent. Well at least the potential hacker has made it to your Apache instance. No flames, but am sure it would be better to neautralise as close to your perimeter as possible.
0
Link to comment
Share on other sites
Walter Blanco Junior Member

Walter Blanco

Posted
Posted
Excellent. Well at least the potential hacker has made it to your Apache instance. No flames, but am sure it would be better to neautralise as close to your perimeter as possible.

 

So, you say you don't want to block the IP in Apache even if you can. If for any reason attacker can connect to apache eluding ha-proxy, then you have no measure against him.

 

I don't see a problem with users (all users are potential hackers) connecting to Apache instances, this business is all about it :-), the real problem is about software than can be exploited, and whmcs history is prolific in attacks.

 

The worst thing is the OP said that attacker got his md5 pass that was changed after it was patched, and nobody is focusing on that.

 

That is a SQL injection, check the exploit, this has nothing to do with executing arbitrary php code on victim's server, if it's true that whmcs is still vulnerable AFTER the patch then everybody here is at risk.

0
Link to comment
Share on other sites
bear Senior Member

bear

Posted
Posted
The worst thing is the OP said that attacker got his md5 pass that was changed after it was patched, and nobody is focusing on that.
It was suggested he was backdoored at the time of the first issue. No one here has access to check that, so without someone confirming it was the same thing, that's what I'm assuming. If it was fully patched and everything freshly uploaded, with no files left anywhere in his entire site and no suspect email forwards and so on, that's something else.

 

I'd be willing to bet it was something left over, personally. If not, there would likely be more reports. His is the only one I've seen, anywhere, that states they were hit after patching.

if it's true that whmcs is still vulnerable AFTER the patch then everybody here is at risk.

I strongly doubt that's the case here.

0
Link to comment
Share on other sites
Walter Blanco Junior Member

Walter Blanco

Posted
Posted
It was suggested he was backdoored at the time of the first issue. No one here has access to check that, so without someone confirming it was the same thing, that's what I'm assuming. If it was fully patched and everything freshly uploaded, with no files left anywhere in his entire site and no suspect email forwards and so on, that's something else.

 

I'd be willing to bet it was something left over, personally. If not, there would likely be more reports. His is the only one I've seen, anywhere, that states they were hit after patching.

 

I strongly doubt that's the case here.

 

but the SQL injection attack only gets information from database, it doesn't execute arbitrary php code on the server, without that, how could a backdoor be introduced with sql injection?

0
Link to comment
Share on other sites
bear Senior Member

bear

Posted
Posted
but the SQL injection attack only gets information from database, it doesn't execute arbitrary php code on the server, without that, how could a backdoor be introduced with sql injection?

That's just the most visible action they take; and it leaves an easily identifiable trace. This flaw trusted data that included that line about "AES", so things were passed that included it, and the user details change was not the only method they'd tried and apparently succeeded in using. Password change was one I recall reading.

 

I saw another report of someone that had files uploaded (which probably included shell scripts), another that had an admin account compromised or created and still others that had data altered in the database. An sql injection is a way into the database, and not just to pull data; it may also be possible to add some. The most commonly reported attack included a partial dump of some data, but that doesn't mean it was the only attack. It was just the easiest to spot. ;)

0
Link to comment
Share on other sites
Mark_J Junior Member

Mark_J

Posted
Posted
if it's true that whmcs is still vulnerable AFTER the patch then everybody here is at risk.

 

<snip>

 

I strongly doubt that's the case here.

 

 

Isn't there another new vulnerability that is currently being investigated?

 

http://www.webhostingtalk.com/showpost.php?p=8880279&postcount=4

http://www.webhostingtalk.com/showthread.php?t=1309491&page=14

0
Link to comment
Share on other sites
WorldWideWebDev Member

WorldWideWebDev

Posted
  • Author
Posted

I like his styles and a prayer to boot..

 

[TABLE=width: 100%]

[TR]

[TD]psalm91 offline.gif

Web Hosting Guru

 

 

[/TD]

[/TR]

[/TABLE]

[TABLE=class: tborder, width: 100%, align: center]

[TR]

[TD=class: alt2, bgcolor: #FAFAFA][TABLE=width: 100%]

[TR]

[TD][/TD]

[TD=width: 100%]Screen capture this ! wink.gif

 

__________________

Treat your password like your toothbrush. Don't let anybody else use it, and get a new one every six months.Sancte Michael Archangele, defende nos in proelio, contra nequitiam et insidias diaboli esto praesidium. Imperet illi Deus, supplices deprecamur: tuque, Princeps militiae coelestis, Satanam aliosque spiritus malignos, qui ad perditionem animarum pervagantur in mundo, divina virtute, in infernum detrude. Amen

[/TD]

[TD][/TD]

[/TR]

[/TABLE]

[/TD]

[/TR]

[TR]

[TD=class: alt1, bgcolor: #EFEFEF][/TD]

[/TR]

[/TABLE]

0
Link to comment
Share on other sites
Walter Blanco Junior Member

Walter Blanco

Posted
Posted
That's just the most visible action they take; and it leaves an easily identifiable trace. This flaw trusted data that included that line about "AES", so things were passed that included it, and the user details change was not the only method they'd tried and apparently succeeded in using. Password change was one I recall reading.

 

I saw another report of someone that had files uploaded (which probably included shell scripts), another that had an admin account compromised or created and still others that had data altered in the database. An sql injection is a way into the database, and not just to pull data; it may also be possible to add some. The most commonly reported attack included a partial dump of some data, but that doesn't mean it was the only attack. It was just the easiest to spot. ;)

 

sql injection only gets or modifies database, it doesn't execute php code.

 

exploit is easy to find, download it and check what it does, it doesn't upload anything

0
Link to comment
Share on other sites
bear Senior Member

bear

Posted
Posted (edited)
sql injection only gets or modifies database, it doesn't execute php code.
It can be used for a lot of different things. If you think you're safe because it "only" does the above, you're not.

Go read the exploit page. This is on it:

"This opens up a lot of other holes, for example we can write to /configuration.php whatever we want (PHP code included)"

exploit is easy to find, download it and check what it does, it doesn't upload anything

What makes you think that's the only exploit code/script out there? I'd bet it's not.

Edited by bear
0
Link to comment
Share on other sites
zoilodiaz Senior Member

zoilodiaz

Posted
Posted
just got the email.

 

 

WHMCS has released new patches for the 5.2 and 5.1 minor releases. These updates

provide targeted changes to address security concerns with the WHMCS product.

You are highly encouraged to update immediately.

 

Sorry to say but WHMCS su****

0
Link to comment
Share on other sites
Infopro Senior Member

Infopro

Posted
Posted
Another security issue... WHMCS needs to do a security audit big time!

 

EDIT: Did forum passwords just get reset? I got an email saying mine has been reset...

 

Please send that email to me via private message here on the forums, I'd like to see it if you don't mind.

 

Thanks

0
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated

  I accept