Dangers of offering free accounts.

[petru]

Hey Guys.

 

I have a Free Hosting account package on my WHMCS.

This is basically an account that Users can use to see if they will like our service. But it seems like the I'm attracting quite a lot of fake users and potential hackers.

 

I just received and Order under the name Hacker Hacker.

And had a suspicious code in the Client information field.

 

The code Said

 

AES_ENCRYPT(1,1), address1= (SELECT GROUP_CONCAT(id,0x3a,username,0x3a,email SEPARATOR 0x0d) FROM tbladmins), AES_ENCRYPT(1,1), address2= (SELECT GROUP_CONCAT(password SEPARATOR 0x0d) FROM tbladmins)

AES_ENCRYPT(1,1), city= (SELECT GROUP_CONCAT(type,0x3a,ipaddress,0x3a,username,0x0d,accesshash SEPARATOR 0x0d) FROM tblservers), AES_ENCRYPT(1,1), state= (SELECT GROUP_CONCAT(id,0x3a,servertype,0x3a,paytype,0x3a,configoption1 SEPARATOR 0x0d) FROM tblproducts), hacked

United States

 

I traced the IP address to Indonesia so I marked it as fraud.

 

Does anyone know what this code is? A Simple Google search come up with a lot of Exploit codes.

I have .htaccess restricted the login page for anyone not on my IP address. I have also Password protected the Login directory and renamed it. So maybe that was a good thing that I had already done that prior to this.

but I'm curious to know if there is anything that still makes me vulnerable. I also care for the protection of other users on my Server.

 

My root login page for WHM is also IP restricted.

 

If anyone can tell me what I should do from here or if they know anything about the code please let me know.

 

Regards,

Petru

[bear]

This was an attempt to attack your install, using the exploits revealed and patched in early October. If you are not on the latest version of WHMCS (specifically back on 5.2.8 or so) that would potentially have revealed lots of info from your database. If you're up to date, you should be safe.

[petru]

Well Damn, Thanks for the info.

I'm up to date with WHMCS 5.2.15. I Generally check everyday for new updates so i'm glad I'm up to date.

Is there any way to find out if they still managed to attack the system? Is there any Symptoms?

 

Thanks

[bear]

If I recall correctly, this would email the information to the user that submitted it, so you might look in the emails to that user.

[petru]

Thanks for the info. I't turns out that the Users details were different when they signed up.

But after signing up they changed their details and included the exploit.

I received an email with the users change, But all I could see in the fields was the exploit code.

So I gather that if it was a successful attack I would've seen the details that they were after instead of the exploit, Correct?

[bear]

You're welcome.

Yes, it's my understanding of that exploit that it would have included details from the database in the email if it worked. If you saw the exploit code in them, it probably failed. Did you check the user's email history, or just base this on the email you received (I believe it's the same email, but worth checking)?

[petru]

I looked for the email that they would've recived but there was none. Just a welcom email and email for their hosting account.

 

Its very odd though because their email address was a@a.com so im not too sure how they would've recived it anyway.

 

Seems to be okay though. I know my servers or whmce isn't at risk but I just wanted to make sure my clients are safe also.

[ryanm]

Hey Guys,

Just wondering if there happens to be a new attack using the same AES_ENCRYPT.... details as mentioned above. I got hit by someone trying to create a user account on my system and he changed his details to those above. It doesn't appear that he was able to get anything by looking at the email records, and I'm fully updated, but just wanted to make sure.

 

Thanks!

[mlew2]

I believe they are still trying that exploit just for the handful of sites that didn't update like they should have

[WHMCS Ryan]

Hello ryanm,

 

As long as your install is up to date you should be fine. I would also suggest you review this tutorial on how to further secure your install - http://docs.whmcs.com/Further_Security_Steps.

 

--Thanks