SQL Injection Attack: Immediate Response?

[epretorious]

Like a lot of us (I'm sure), I've been receiving the dreaded "WHMCS User Details Change" email notification (described in the WHMCS Blog post "October 3rd 2013 Security Patch Follow Up").

 

I've received eight ( "WHMCS User Details Change" messages that match the profile:

 

Client ID: 28 - 1:admin:administrative@rocket-powered.com:6545cbaab3eb88da131a16211b3faaa1 dasher has requested to change his/her details as indicated below:

First Name: '1:admin:administrative@rocket-powered.com:6545cbaab3eb88da131a16211b3faaa1' to 'AES_ENCRYPT(1,1), firstname=(SELECT GROUP_CONCAT(id,0x3a,username,0x3a,email,0x3a,password SEPARATOR 0x2c20) FROM tblcustomfieldsvalues)'

However:

• There are only seven (7) entries in the activitiy log (Utilities > Logs > Activity Log) that match the profile.
  

  Client Profile Modified - First Name: '1:admin:administrative@rocket-powered.com:6545cbaab3eb88da131a16211b3faaa1' to 'AES_ENCRYPT(1,1), firstname=(SELECT GROUP_CONCAT(id,0x3a,username,0x3a,email,0x3a,password SEPARATOR 0x2c20) FROM tblcustomfieldsvalues)', Default Payment Method: '' to '' - User ID: 28

  
  

• All eight "WHMCS User Details Change" messages and all seven log entries relate to TWO (2) of the bogus USERID's that were created in the past week. i.e., There have been FOUR (4) bogus USERID's created in the past week for which I did NOT receive "WHMCS User Details Change" messages. And there are NO log entries that relate to those FOUR bogus USERID's.

 

Does this mean that my installation has been compromised? i.e., I read somewhere that the absence of log entries was a bad sign.

[bear]

Details changes are not the only attack vector for that exploit. Password resets, and really anything that allows POST and interacts with the database is a potential avenue for this. If you were patched/upgraded before these began, WHMCS blog posts and staff state you're safe.

[Wabun]

I had one customer ordered a server, whilst he would never do so, I contacted him to found out that he did not order this of course. Great another hack, and I HAD EVERYTHING PATCH ALL THE TIME.

No one is safe, this must be the most un-secure software out in the whole automation sector, be warned ALL of YOU!!!

[epretorious]

Details changes are not the only attack vector for that exploit. Password resets, and really anything that allows POST and interacts with the database is a potential avenue for this. If you were patched/upgraded before these began, WHMCS blog posts and staff state you're safe.

 

Five of the six new (i.e., bogus) accounts were created before I applied the patch.

 

Where can I find out more about determining if my installation has been compromised?

[bear]

The following is just opinion, but how I'd see your situation if it was me:

 

I'd suggest you need to go on the assumption that you were. The "detail change" logs you show include the admin email, username and hashed pass. One of them shows they were also looking for custom field values, so they were trolling your install for anything it could make it reveal.

 

I'd say the odds are good they got at least some of what they were looking for, and you should treat every password in that system as at risk and in need of immediate change. Customers, servers, registrars and payment gateways. All of it. I don't know if WHMCS support can assist you in looking into the issue, but if it was me I'd ask. They might at least have some suggestions on what to look for.

Odds are you would need a security expert to log in and see if anything else was going on, but that could get expensive.

 

- - - Updated - - -

 

I had one customer ordered a server, whilst he would never do so, I contacted him to found out that he did not order this of course. Great another hack, and I HAD EVERYTHING PATCH ALL THE TIME.

And you're certain this user's email or computer being compromised wasn't the source of that order? You really shouldn't blame everything on WHMCS unless you're sure there was no other way and have something to back that up at least. It isn't fair to instantly accuse this software....

[epretorious]

...I HAD EVERYTHING PATCH ALL THE TIME.

 

Yeah, I received this e-mail two days after I patched WHMCS to 5.2.8:

 

hello admin i just could get data from your database using a WHMCS SQL inejection via python script ,

DATA from admin table: admin:administrative@rocket-powered.com:79df6ade1bccf3e3fbdd123a9e11c29d

 

Please contact me )

The tuple contains the MD5 hash of the new password that I'd set twentyfour hours after I'd patched WHMCS!

 

WTF?!

[bear]

Perhaps the original hack left a back door. If you kept the files in the site the same, and only patched, it's possible they added some files or another login or something while you were vulnerable. It shouldn't be possible using that same hack, if it's patched properly and you cleaned up after.

[Wabun]

Why is everyone trying to defend WHMcs, I told you it is unsafe.... How many will not say they have been hacked as well, shouldn't we get value for our money and get this tool secure?

 

Anyway, I can't mass email my users as it won't work, and some are even worse off when reading up here in the forum.

Edited October 15, 2013 by Wabun

[innovot]

We have just purchased WHMCS so very keen to see if they respond to this otherwise may have to invoke the 30 day refund! Not a good start to something that looks extremelly promising.

[Wabun]

Get a refund and go for AWBS.

[vec]

AWBS... I hope you are joking... get a clue

[zoilodiaz]

Get a refund and go for AWBS.

 

if you are going to move, move to clientexec not AWBS

[Alex - Arvixe]

Yeah, I received this e-mail two days after I patched WHMCS to 5.2.8:

 

 

The tuple contains the MD5 hash of the new password that I'd set twentyfour hours after I'd patched WHMCS!

 

WTF?!

 

Looks like you was previously compromised and a back door was added to your system. You need to get that sorted as a #1 priority at this stage.

 

Get a refund and go for AWBS.

 

I'd guess that the only reason we don't see AWBS security issues going wild because their would be like 10 active installations and so isn't a big target . Overall though AWBS isn't being updated so you would get outdated modules, no security updates should something ever come up (Hey, atleast WHMCS fixes things quickly depending on its severity - Can't say the same for AWBS).

 

if you are going to move, move to clientexec not AWBS

 

My vote would be on Blesta at this stage, then again I haven't played with ClientExec v5 and would love to play with that once it is out .

[innovot]

Now that I have stepped on my little soap box, stood back, and thought then the same issues are applicable to all online billing systems. Have spent a while working with WHMCS and it is extremely powerful; so one step forward. Though the security issues do concern us; one step backwards. Do WHMCS work with the ModSecurity team at all ? and I wonder for SQL injections how well http://www.greensql.com would help to stop them.

[WorldWideWebDev]

Its time to go DEFCON 5......

[bear]

Its time to go DEFCON 5......

So you're more relaxed now, then? DEFCON 5 is "all is well"....

 

As for mod security, those running the Atomic paid rules (from got root) claim this was caught even without patching, and there have been some specific rules created externally that help mitigate this one also. Though I've patched/upgraded, I also added the rule that blocks this specific one and can say it works, as long as you have mod_sec checking POST contents. Steven at Rack911 had posted this one:

SecRule REQUEST_URI|ARGS|REQUEST_BODY "AES_ENCRYPT" "id:00100,phase:4,t:urlDecodeUni,log,deny,msg:'WHMCS'"

[Wabun]

Why is that a Joke?

 

AWBS... I hope you are joking... get a clue

[epretorious]

Yeah, I received this e-mail two days after I patched WHMCS to 5.2.8:

 

 

The tuple contains the MD5 hash of the new password that I'd set twentyfour hours after I'd patched WHMCS!

 

WTF?!

Looks like you was previously compromised and a back door was added to your system. You need to get that sorted as a #1 priority at this stage.

 

FTR: I applied the patch incorrectly.

 

CORRECTIVE ACTION: After backing up the whmcs directory, I removed the entire installation and re-installed from source; restored the configuration.php file and and modified templates; reset my admin password manually, and; re-installed the various modules.

[ocosa]

I had one customer ordered a server, whilst he would never do so, I contacted him to found out that he did not order this of course. Great another hack, and I HAD EVERYTHING PATCH ALL THE TIME.

No one is safe, this must be the most un-secure software out in the whole automation sector, be warned ALL of YOU!!!

 

Or it could have been your customer was compromised with led you to be because of the exploit in WHMCS.