Jump to content

October 3rd 2013 Security Patch Follow Up


Recommended Posts

There seems to be a lack of detailed intel regarding the recent SQL injection attack affecting WHMCS 5.1 (prior to 5.2.8) & 5.2 (prior to 5.1.10). e.g., The post "October 3rd 2013 Security Patch Follow Up" poses the question " How do I know if I was affected?" but then completely fails to answer the question with any authority:


How do I know if I was affected?

It is usually possible to tell if you have been affected by this, or had it attempted on your installation, based on the "WHMCS User Details Change" email notification. This is the email sent any time a client updates their profile details via the client area... In this email if you see any new field values that start "AES_ENCRYPT" (without the quote marks) then the exploit has been attempted on your installation.


Another way to check is via the Activity Log. This can be accessed via the admin area by navigating to Utilities > Logs > Activity Log. Again here you're looking for any references that contain the keyword "AES_ENCRYPT". If you see them, then somebody has attempted to use the exploit on your system.


Of course, someone attempting to use the exploit does NOT inherently mean it was successful. If the time of the attempt was after you applied the patch then the exploit will have failed; at most the attacker would only be able to alter details of their own, dummy, account.


If the attempted exploit occurred prior to implementing the security patch, this alone does not indicate that your system was compromised any further than the information disclosure.


In the published exploit example, the scripted behavior is to retrieve the admin user password hashes. These password hashes, in themselves, are not sufficient to allow the attacker to authenticate into your admin area. The attacker must find the text which equates to the same hash value as your password.

So the question remains unanswered (i.e., "How do I know if I was affected?") as does the $64M question: "What should I do if I believe that I believe that my system has been compromised?"


Thoughts? Ideas? Suggestions? Let's get some actionable, measurable ideas going here instead of the usual hyperbole, hand-wringing, and speculation that we're all used to on other forums. e.g.,


  1. How do I know if my system was compromised?
  2. What leverage will the attacker have gained if my system was compromised?
  3. What should I do if my system was compromised?

Edited by epretorious
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated