5.2.8 hacked ? license key reset - log attached

[Xoolon]

I couldn't get into my WHMCS install today, and had to reset the key. When I got in I could see an unrecognised login 24 hours ago, with no IP address shown. I downloaded the access logs and look to this time, and can see it's an IP address assigned to Lagos, Nigeria... not a good start.

 

The relevant lines are attached. Looks like they reference a password-cracking service on the first line? 20 seconds later admin login screens, and appears to be access to several config screens.

 

Can anyone tell how bad this is, I have changed the admin directory name and reset my password to a strong one. What else might have been compromised?

 

accesslog.txt

[bear]

It looks like they obtained admin access. Any info in there should be considered compromised. It also looks like they were trying to add a download, possibly a hacking tool or shell script of some sort.

"GET /downloads/2.php HTTP/1.1" 404

This implies they hadn't succeeded yet.

 

(removed, realizing it's not 5.2.9 or 10)

Edited October 21, 2013 by bear

[Xoolon]

Yes it was running 5.2.8 when this happened, I upgraded to this on 4th October. Since then I've received plenty of emails saying username changed to aes-encrypt etc.

 

Since regaining access today I have upgraded to 5.2.9 then 5.2.10.

 

As you say the info should be considered compromised, but when it's live customers and products in there as designed, what can you practically do about it except reset passwords?

[bear]

Before you start, you may wish to open a ticket and confirm things with WHMCS and ask for their thoughts on it.

 

That would be a start, and includes all passwords: payment gateways, servers, WHMCS accounts (especially admins), hosting accounts and so on. Anywhere there's details for logins or payments, they may have that. I'd also be carefully checking all files in the site for anything they'd added, as well as confirming all the WHMCS downloads are yours and not something they added.

 

The above is what I'd be doing, however.

[bugster]

My 5.2.10 installation just got hacked. It started with my license key getting reset and then today they deleted my clients table. Check your downloads folder for php scripts that was how they got me I think. I've opened a ticket with whmcs but haven't heard from them yet.

[bear]

My 5.2.10 installation just got hacked. It started with my license key getting reset and then today they deleted my clients table.

Did any of that happen before you'd patched/upgraded? The way it was worded sounded like there was a delay.

[bugster]

The license reset happened monday then I patched yesterday and the tables where deleted today. The files in the download folder were dated 10/20 10/21 and 10/23

 

So it did start with 5.2.8

[Xoolon]

My 5.2.10 installation just got hacked. It started with my license key getting reset and then today they deleted my clients table. Check your downloads folder for php scripts that was how they got me I think. I've opened a ticket with whmcs but haven't heard from them yet.

 

Nothing in my downloads folder except the index.php file so maybe luckier here. The response I got from support was 'We would be unable to advise for definite as to why this happened, perhaps your server logs can provide some insight. It is possible that your WHMCS installation was accessed.'