Jump to content

Numerous WHMCS Users Websites and Admin Usernames Posted Online PLEASE READ!!!

willow

By willow
in Using WHMCS

 Share

Recommended Posts

willow Member

willow

Posted
Posted

Someone was kind enough to drop me an email today and giving me a link to a file that has been posted online containing all my Admin User Accounts, Usernames and Email Addresses. It contains hundreds if not thousands of WHMCS Admin Accounts details, very possibly including yours!

 

Please see http://pastebin.com/tmNyiXeD to see if your business is included and immediately change all Admin Usernames and Passwords!!

0
Link to comment
Share on other sites
octars Junior Member

octars

Posted
Posted

What the hell..!

that is NOT cool! not good at all :mad:

is that mean majority of whmcs user being compromised ?

 

@willow, may I know if you're using the latest version of whmcs ?

 

- - - Updated - - -

 

But in that pastebin the password is published still using md5 encryption, can someone login to whmcs admin using md5 password?

0
Link to comment
Share on other sites
willow Member

willow

Posted
  • Author
Posted
What the hell..!

@willow, may I know if you're using the latest version of whmcs ?

Always! I think this happened a few months ago when the first lot of security issues were found because I was getting lots of tickets being opened with base64 code in the body. Additionally I don't personally have any other software running on the domain my WHMCS is installed so it can't be down to insecurities in another script.

But in that pastebin the password is published still using md5 encryption, can someone login to whmcs admin using md5 password?

 

I don't know. I've changed all the admin usernames and passwords and renamed my admin folder. I think Matt needs to post an announcement about this so everybody can check if they have been affected!

0
Link to comment
Share on other sites
durangod Senior Member

durangod

Posted
Posted

If i remember correctly this was awhile back when this happend and so your login info should have been changed by now. Anyone with a bin account please click on the report abuse link to report the item as illegal content. This way it should be removed faster. Otherwise just use the contact link on the bottom of the site to report but that appears to be hit and miss.

 

It appears to be from only several countries, i was not listed.

 

I personally would not log into the site using your google as i personally dont trust the site at all.

 

Someone (whmcs maybe)needs to also report this to the authorities.

0
Link to comment
Share on other sites
WHMCS Ryan Senior Member

WHMCS Ryan

Posted
Posted

Hello willow,

 

Thanks for bringing this to our attention. From looking at the pastebin it seems they have only the password hash and not the password itself. These hashes can only be decrypted using the hash from each unique installation and was most likely taken from outdated installs of WHMCS. We have contacted pastebin to have this info pulled immediately.

 

This serves as a solid reminder to always keep both your install of WHMCS and any server side software up to date. I also strongly advise the use of the guide octars linked as a way to further secure your install.

 

--Thanks

0
Link to comment
Share on other sites
  • 2 weeks later...
numPhoenix Member

numPhoenix

Posted
Posted

I had an order placed by this person who left his trace as per the forum below.

From my findings the latest version would thus still be vulnerable. I have a few tickets which have been blocked so they are still attempting to use the script.

 

https://w w w.developers.prod.facebook.com/PeZeEf/posts/581469575304895

0
Link to comment
Share on other sites
Alex - Arvixe Senior Member

Alex - Arvixe

Posted
Posted
I had an order placed by this person who left his trace as per the forum below.

From my findings the latest version would thus still be vulnerable. I have a few tickets which have been blocked so they are still attempting to use the script.

 

https://w w w.developers.prod.facebook.com/PeZeEf/posts/581469575304895

 

Bare in mind, attempting to perform a patched vulnerability does not mean the vulnerability is still present in the latest version. Just, it won't be successful.

 

Has your WHMCS actually been compromised running the latest version?

0
Link to comment
Share on other sites
numPhoenix Member

numPhoenix

Posted
Posted

Well the order was placed via the script according to my info.

How far they got I would have to see as I have bloked the ips and tickets from entering the system.

Not really sure how to confirm other than trying to hack myself, as they supply the script.

0
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated

  I accept