Jump to content

Discusting WHMCS behaviur

slim

By slim
in Feedback

 Share

Recommended Posts

malfunction Senior Member

malfunction

Posted
Posted

WHMCS has two choices…

 

1. Sit down while someone who actually knows what they are doing thoroughly audits their code and coding practices, identifies the issues and comes up with a mitigation plan - in a hurry.

2. Do nothing and continue circling the bowl while more clients get hacked, before finally disappearing round the U-bend and going out of business.

Fixed it for you...

Link to comment
Share on other sites
  • Replies 54
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

WorldWideWebDev Member

WorldWideWebDev

Posted
Posted
if you people put into your OWN business the amount of bitching you do about WHMCS you would be rich....

Bitching in business doesn't make you rich. Hard work and care does. Substandard products destroy business. .. Bitching about the bitching adds to the bitching.. and doesn't get anyone anywhere. Actually thats like listening to the radio and complaining you don't like the program.. Im sure there is a dial on a radio. Uhm

Link to comment
Share on other sites
Bartucxp Senior Member

Bartucxp

Posted
Posted (edited)

Looking at localhost blog page and shared codes.

 

I assume they(whmcs) thought "this is working fine and code is encrypted, no one is going to exploit this code".

 

Actually, that was the case for many years. Even script nullers didn't look into dbfunctions.php because it didn't contain any license related functions. Vulnerabilities were hidden under the carpet until some decided to look what's under it. I mean, there is no other possibility, they just ignored security problems and thought noone ever going to discover them. They just trusted some queries with some values, whenever people discovered that, whmcs got hacked.

 

What needs to be done here is that code must be hardened as it is very insecure right now, someone experienced and brilliant must expertise all the code and modify it. I don't think these exploits going to stop for a while.

Edited by Bartucxp
Link to comment
Share on other sites
b0r3d Member

b0r3d

Posted
Posted
if you people put into your OWN business the amount of bitching you do about WHMCS you would be rich....

 

Says the guy with nothing but negative posts http://forum.whmcs.com/search.php?searchid=1218959

 

Does it amaze you that much that business owners are upset their bread and butter has to be taken offline each time causing i wonder how much in lost sales and loyalty from current customers? You don't think current customers wonder why their host keeps taking down the billing platform? It looks bad and it is embarrassing.

 

But.....judging by how unsympathetic you sound to even these "bitching" customers, i wouldn't expect you to have a clue what it's like because any real business that has to pull their billing platform which does include the ordering system, support system (for many) it can hurt their business drastically and if it continues happening and these customers are still here, how about showing them a little more respect for showing loyalty to the software?

Link to comment
Share on other sites
vec Senior Member

vec

Posted
Posted

bla bla bla... you bitch more than anyone... get over it and let them fix it or go on to more other one so we don;t have to see ya...

 

 

Says the guy with nothing but negative posts http://forum.whmcs.com/search.php?searchid=1218959

 

Does it amaze you that much that business owners are upset their bread and butter has to be taken offline each time causing i wonder how much in lost sales and loyalty from current customers? You don't think current customers wonder why their host keeps taking down the billing platform? It looks bad and it is embarrassing.

 

But.....judging by how unsympathetic you sound to even these "bitching" customers, i wouldn't expect you to have a clue what it's like because any real business that has to pull their billing platform which does include the ordering system, support system (for many) it can hurt their business drastically and if it continues happening and these customers are still here, how about showing them a little more respect for showing loyalty to the software?

Link to comment
Share on other sites
kbdavis07 Junior Member

kbdavis07

Posted
Posted

Hi Everyone,

 

 

I know lately WHMCS had really been under attack and looking at all of the hacking forums and etc they are really having a field day with how WHMCS coded the system.

 

They know WHMCS will eventually come up with a fix that will make it harder on them and while other sites still are unpatched they are trying to exploit as much as they can before everyone patches up and WHMCS fixes the over all issue.

 

Because of this rush lots of hacker teams are mounting massive attacks before the solution is found, in the knee jerk reaction from WHMCS from these new attacks there is going to be mistakes on WHMCS end which these hackers are depending on.

 

While this is happening there are going to be massive hacks, and they are not only going after WHMCS but other Hosting Billing systems and etc.

 

What we can do as Web Hosting Owners is band together like what these hackers are doing, they are one big happy family right now :)

 

 

Instead of fighting each other or just pointing our fingers at WHMCS we need to take an active role to help reduce these hacking effects from our end.

 

 

There are alot of stuff you can do to "harden" your server which does not involve WHMCS help or patching.

 

 

Starting off with the very basic first:

 

 

1. http://docs.whmcs.com/Further_Security_Steps

 

2. Disable client editing of their account details lock it all.

 

3. Use CloudFlare

 

 

4. Set up very hard to crack passwords, Passwords under 10 chars can be broken with a hash cracker.

 

So if you have a password like daksei2ls1 will more likely not be able to crack so easily. Mix it up with upper and lower case with special symbols like &^%*$#.

 

I had testing a series of our WHMCS hashed passwords and with a MD5 Decoder lots of them can be cracked pretty easily.

 

 

5. Watch your server logs for "post" activities

 

6. Stay alert on what is going on with your server, and database.

 

 

7. Report any hacks or attempts here with their IP address, and user agent.

 

 

If anyone else has any additional tips please provide them.

 

Lets be proactive on our end and make sure our end is protected to the best ability we can.

 

While WHMCS is hopefully figuring out a more robust solution.

 

 

More on that to come later.

 

 

Lets join together and defeat these hackers!!!!

 

 

Have a great day!

 

 

Brian Davis

Link to comment
Share on other sites
gPowerHost Junior Member

gPowerHost

Posted
Posted

I'm focusing on mod_security to get through this. Live feeds and my own rules. I have just learned that WHMCS is somehow working with atomic to provide an atomic rules installer, but it is not ready yet. I hope it is not another fee for service thing like Two Factor Authentication. Just saying, I would not need the rules to be updated hourly and have about two dozen custom rules if the code were well though out. But this is horribly frustrating because no sooner do I get a rule, the rule gets hit. We are talking minutes. Rules for new vectors, new attacks follow and are caught for those vectors. If it happens in reverse.... I have no time to attack anyone. This is my new personal nightmare. When will it end?

 

[sNIP]If you are running WHMCS, in a month or so they will be offering an Atomicorp rules installer, this may be an option for you, but it is not available yet.

 

Best regards

 

Dan

 

Atomicorp

Link to comment
Share on other sites
b0r3d Member

b0r3d

Posted
Posted
bla bla bla... you bitch more than anyone... get over it and let them fix it or go on to more other one so we don;t have to see ya...

 

Judging by your behavior i'll assume you're 16 or younger, any older would surprise me. You want to attack me, make sure you make sense doing it. These are upset customers and you're doing nothing but trying to get under their skin, mine included now.

 

Grow up.

Link to comment
Share on other sites
alinford Senior Member

alinford

Posted
Posted
I'm focusing on mod_security to get through this. Live feeds and my own rules. I have just learned that WHMCS is somehow working with atomic to provide an atomic rules installer, but it is not ready yet. I hope it is not another fee for service thing like Two Factor Authentication.
I assume this is going to be a pay service. If it is, then they will be running a protection racket. I really hope they look at this as a way to help their customers instead of bleed them.
Link to comment
Share on other sites
vec Senior Member

vec

Posted
Posted

what are you talking about.. I think you should be the one growing up. you are the loser that attacked me with that moron post...

 

 

Judging by your behavior i'll assume you're 16 or younger, any older would surprise me. You want to attack me, make sure you make sense doing it. These are upset customers and you're doing nothing but trying to get under their skin, mine included now.

 

Grow up.

 

- - - Updated - - -

 

Linux is the most hacked.... look it up

 

Same with Windows and a Mac :)
Link to comment
Share on other sites
WHMCS Chris Senior Member

WHMCS Chris

Posted
Posted

Hey guys,

 

I'd like to see this thread get back on track. There's really no need to insult others. We hope that WHMCS' forums is a friendly place where users can seek assistance, discuss issues and ideas, and ultimately better themselves and their experiences in the Web Hosting industry from here.

 

Please refrain from antagonistic and insulting behavior. This would apply to starters, and responders.

 

I hope you we can all agree on this and move forward positively.

Link to comment
Share on other sites
kbdavis07 Junior Member

kbdavis07

Posted
Posted

Hi EveryOne,

 

I agree with WHMCS Chris in time of crisis like these we need to band together and not fight each other.

 

Look at the hacker communities, they are really close and helping each other out in destroying our businesses.

 

Lets turn this around and band together to put a stop to this and get those that tries to destroy our businesses to pay.

 

Our first round in doing this is hardening our WHMCS installs to help slow down and hopefully prevent any additional attacks.

 

Next is to record and track these hackers and report them to the hosting providers, ISP's, and law enforcement agencies.

 

Together we stand divided we will fall.

 

 

Brian Davis

Link to comment
Share on other sites
twhiting9275 Senior Member

twhiting9275

Posted
Posted (edited)

We're doing our part

No you're not

 

  • If you were 'doing your part', we wouldn't be having weekly critical security flaws that require our systems to be shut down for hours on end
  • If you were 'doing your part', these wouldn't even have taken this long to fix
  • If you were 'doing your part', you would be doing what you're obligated to do and fixing all versions of code that were messed up by your organization. This isn't a simple bug here, these are critical vulnerabilities
  • If you were 'doing your part', then you would have had a professional audit of your code done by now and posted the results
  • If you were 'doing your part', then the person responsible for this childish, unprofessional code would no longer be a part of the company. I know exactly who is responsible for this, and yes, he's still around

 

You're not doing your part here, you're just hoping you can brush this all under the carpet again hoping we won't notice it. Same old, same old disgusting behavior from WHMCS that we've seen for the past number of years

Edited by twhiting9275
Link to comment
Share on other sites
WHMCS Chris Senior Member

WHMCS Chris

Posted
Posted
No you're not

 

  • If you were 'doing your part', we wouldn't be having weekly critical security flaws that require our systems to be shut down for hours on end
  • If you were 'doing your part', these wouldn't even have taken this long to fix
  • If you were 'doing your part', you would be doing what you're obligated to do and fixing all versions of code that were messed up by your organization. This isn't a simple bug here, these are critical vulnerabilities
  • If you were 'doing your part', then you would have had a professional audit of your code done by now and posted the results
  • If you were 'doing your part', then the person responsible for this childish, unprofessional code would no longer be a part of the company. I know exactly who is responsible for this, and yes, he's still around

 

You're not doing your part here, you're just hoping you can brush this all under the carpet again hoping we won't notice it. Same old, same old disgusting behavior from WHMCS that we've seen for the past number of years

 

Hello,

 

Responding in sections here:

 

If you were 'doing your part', we wouldn't be having weekly critical security flaws that require our systems to be shut down for hours on end

You do realize that it's multiple vulnerabilities in a code base and that each of these incremental versions have had to be released to redact them as they're published as they is not sufficient time between these public disclosures to look and address other potentials on a grander scale, right? The individual is publishing these one by one for a reason - if they had all been disclosed at a single time it would have been one update. Not several.

 

If you were 'doing your part', these wouldn't even have taken this long to fix

We've released updates within 8 hours, and in some cases less than that for each public disclosure. Can you elaborate on how long you would expect to release these updates?

 

If you were 'doing your part', you would be doing what you're obligated to do and fixing all versions of code that were messed up by your organization. This isn't a simple bug here, these are critical vulnerabilities

I believe this is already answered in the software updates, releases, and answers above. However we are addressing all versions affected that are in the LTS policy. Is there a specific version you think that we're missing?

docs.whmcs.com/Long_Term_Support#WHMCS_Version_.26_LTS_Schedule

 

If you were 'doing your part', then you would have had a professional audit of your code done by now and posted the results

Are you of absolute information that we've never had this done before? Most companies do this however it's rarely public knowledge. Only one company I can think of has ever done that.

 

If you were 'doing your part', then the person responsible for this childish, unprofessional code would no longer be a part of the company. I know exactly who is responsible for this, and yes, he's still around

I think that's a brash action to take in any organization.

 

 

You're not doing your part here, you're just hoping you can brush this all under the carpet again hoping we won't notice it. Same old, same old disgusting behavior from WHMCS that we've seen for the past number of years

If that were the case, updates likely wouldn't be provided as quickly. We wouldn't be doing internal audits (changelog.whmcs.com), and we wouldn't be here answering your questions. I understand your frustration, believe me I do, however I'm not sure that making accusations or falsities is the correct approach.

Link to comment
Share on other sites
hapless Junior Member

hapless

Posted
Posted

Sorry Chris, going to stand up for twhiting9275 here...

 

As a very inexperienced user of Linux, cpanel, whm and reselling (although I've sold to and supported my customers since 2003), whmcs has played a critical part in growth over the last couple of years.

 

I am amazed at more than a few things, but the highlights for me are:

 

The complete lack of a genuine, honest response from any senior staff at WHMCS or their partner cPanel.

You have thousands of users all crying out for answers, feedback and that old chestnut, responsibility, along with a timeline for when that huge gaping barn door might at least be pushed to.

 

So far all that's been said is that you hold old matey boy in contempt for publishing these vulnerabilities without giving you a chance to check them first.

Based on what I've seen from some of the technically sharper folks on here and elsewhere, the code that has been exposed is a fine example of how not to code and for that I'm grateful to the community. Without old matey publicly highlighting the blatant inefficiencies and security poor coding practices, 99% of us would not be any the wiser and whmcs would have carried on until such time as it became too obvious to any one with a lesser moral stance than old matey.

 

What damage may have resulted then?

 

Security Audit - this goes hand in hand with contingency planning - we all saw the result of this with the HG saga and the licencing fiasco.

You allude to it in your response to twhiting9275 above: but can you honestly say with your hand on heart, on a public forum, state that whmcs has undergone an independent and complete audit of all code within whmcs?

 

I'll answer this now for you - no.

 

Your response reminds me of my children when they've been caught out, "ah, but how do you know I haven't walked the dog, you were out".

After everything that has gone on in the last month or so, you expect us to trust you, with something that hide behind encryption?!!

 

Thanks for treating us like adults!

Link to comment
Share on other sites
twhiting9275 Senior Member

twhiting9275

Posted
Posted

You do realize that it's multiple vulnerabilities in a code base and that each of these incremental versions have had to be released to redact them as they're published as they is not sufficient time between these public disclosures to look and address other potentials on a grander scale, right? The individual is publishing these one by one for a reason - if they had all been disclosed at a single time it would have been one update. Not several.

Therein lies the problem, RIGHT THERE

You (WHMCS) wait for these glaringly obvious vulnerabilities to be reported, rather than proactively fixing them.

 

 

 

 

We've released updates within 8 hours, and in some cases less than that for each public disclosure. Can you elaborate on how long you would expect to release these updates?

Try closer to 12-13, and with the TEAM of cPanel and WHMCS, this is still an unacceptable timeframe, especially when your clients are required to keep things shut down during these.

 

 

However we are addressing all versions affected that are in the LTS policy.

This has nothing, and I do mean nothing to do with LTS. This has everything to do with your code, and responsibilities here. These injections aren't bugs, they are critical security vulnerabilities, they have been in the system since day 1 and put in there by your company. You are obligated to fix these issues from the beginning. You can take the cheap way out and hide behind some pathetic LTS all you want, but the reality is that you and your company have created massive security flaws , and you're not fixing them.

 

 

Are you of absolute information that we've never had this done before? Most companies do this however it's rarely public knowledge. Only one company I can think of has ever done that.

I know for a fact it's never been done.

If it had been done, these issues that have existed since day one would no longer be in the system. End of story.

 

 

I think that's a brash action to take in any organization.

Firing someone for gross incompetence is hardly a brash action. That's exactly what we have here. Utter and gross incompetence, that we've seen for the past 7 years, and you've tried to cover up for said time.

 

 

This isn't your first vulnerability, it's not even your 2nd or third. At this point, you're well into the double digits now, and you're spitting in the face of your clients by refusing to actualy address the problem promptly. In typical WHMCS fashion, you brush it under the carpet, send out the snake oil salesman and then expect we'll all forget about it. Not this time, and if this hacker has any guts, he (or she) won't either.

 

The fact is that you cannot continue to act like you have been. I know for certain that no audit was conducted, and you can't deny it. Sure, you can try to lie about it and say it has, but reality says differently.

Link to comment
Share on other sites
WHMCS Chris Senior Member

WHMCS Chris

Posted
Posted
Therein lies the problem, RIGHT THERE

You (WHMCS) wait for these glaringly obvious vulnerabilities to be reported, rather than proactively fixing them.

 

This is an assumption that every security release contains only updates to thwart publicly disclosed issues. When in fact it is not.

 

 

 

Try closer to 12-13, and with the TEAM of cPanel and WHMCS, this is still an unacceptable timeframe, especially when your clients are required to keep things shut down during these.

WHMCS is a completely separate company from cPanel. They're Perl development staff has no hands inside WHMCS. Stating that cPanel is responsible is not accurate.

 

 

This has nothing, and I do mean nothing to do with LTS. This has everything to do with your code, and responsibilities here. These injections aren't bugs, they are critical security vulnerabilities, they have been in the system since day 1 and put in there by your company. You are obligated to fix these issues from the beginning. You can take the cheap way out and hide behind some pathetic LTS all you want, but the reality is that you and your company have created massive security flaws , and you're not fixing them.

 

http://changelog.whmcs.com

-> You can review the updates showing that they are being fixed both retro, and proactively.

 

There is no hiding behind an LTS. However every software company has to depreciate a version to be able to move forward. Imagine how long it would take to release a software update if we had to maintain 4 or more versions.

 

 

 

I know for a fact it's never been done.

If it had been done, these issues that have existed since day one would no longer be in the system. End of story.

This is completely inaccurate. As I just spoke with the company who performed the last one this week.

 

This isn't your first vulnerability, it's not even your 2nd or third.

I'm not certain a software has been introduced that has never had an issue, let along only a single one. I'm in no way attempting to down-play the issues, they're critical, and are being addressed as such.

 

 

A public statement will be made within the next few days to address a lot of these questions.

Link to comment
Share on other sites
vec Senior Member

vec

Posted
Posted

So you are new to EVERYTHING, but you want to yell about something you clearly no nothing about ..

 

Sorry Chris, going to stand up for twhiting9275 here...

 

As a very inexperienced user of Linux, cpanel, whm and reselling (although I've sold to and supported my customers since 2003), whmcs has played a critical part in growth over the last couple of years.

 

I am amazed at more than a few things, but the highlights for me are:

 

The complete lack of a genuine, honest response from any senior staff at WHMCS or their partner cPanel.

You have thousands of users all crying out for answers, feedback and that old chestnut, responsibility, along with a timeline for when that huge gaping barn door might at least be pushed to.

 

So far all that's been said is that you hold old matey boy in contempt for publishing these vulnerabilities without giving you a chance to check them first.

Based on what I've seen from some of the technically sharper folks on here and elsewhere, the code that has been exposed is a fine example of how not to code and for that I'm grateful to the community. Without old matey publicly highlighting the blatant inefficiencies and security poor coding practices, 99% of us would not be any the wiser and whmcs would have carried on until such time as it became too obvious to any one with a lesser moral stance than old matey.

 

What damage may have resulted then?

 

Security Audit - this goes hand in hand with contingency planning - we all saw the result of this with the HG saga and the licencing fiasco.

You allude to it in your response to twhiting9275 above: but can you honestly say with your hand on heart, on a public forum, state that whmcs has undergone an independent and complete audit of all code within whmcs?

 

I'll answer this now for you - no.

 

Your response reminds me of my children when they've been caught out, "ah, but how do you know I haven't walked the dog, you were out".

After everything that has gone on in the last month or so, you expect us to trust you, with something that hide behind encryption?!!

 

Thanks for treating us like adults!

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated

  I accept