Numerous WHMCS Users Websites and Admin Usernames Posted Online PLEASE READ!!!

[willow]

Someone was kind enough to drop me an email today and giving me a link to a file that has been posted online containing all my Admin User Accounts, Usernames and Email Addresses. It contains hundreds if not thousands of WHMCS Admin Accounts details, very possibly including yours!

 

Please see http://pastebin.com/tmNyiXeD to see if your business is included and immediately change all Admin Usernames and Passwords!!

[octars]

What the hell..!

that is NOT cool! not good at all

is that mean majority of whmcs user being compromised ?

 

@willow, may I know if you're using the latest version of whmcs ?

 

- - - Updated - - -

 

But in that pastebin the password is published still using md5 encryption, can someone login to whmcs admin using md5 password?

[willow]

What the hell..!

@willow, may I know if you're using the latest version of whmcs ?

Always! I think this happened a few months ago when the first lot of security issues were found because I was getting lots of tickets being opened with base64 code in the body. Additionally I don't personally have any other software running on the domain my WHMCS is installed so it can't be down to insecurities in another script.

But in that pastebin the password is published still using md5 encryption, can someone login to whmcs admin using md5 password?

 

I don't know. I've changed all the admin usernames and passwords and renamed my admin folder. I think Matt needs to post an announcement about this so everybody can check if they have been affected!

[durangod]

If i remember correctly this was awhile back when this happend and so your login info should have been changed by now. Anyone with a bin account please click on the report abuse link to report the item as illegal content. This way it should be removed faster. Otherwise just use the contact link on the bottom of the site to report but that appears to be hit and miss.

 

It appears to be from only several countries, i was not listed.

 

I personally would not log into the site using your google as i personally dont trust the site at all.

 

Someone (whmcs maybe)needs to also report this to the authorities.

[octars]

My site also not listed there..

 

But I always use this extra steps to secure my WHMCS ;

http://docs.whmcs.com/Further_Security_Steps

[durangod]

It also helps on top of the security steps to add the fake admin addon as well.

 

https://www.whmcs.com/appstore/126/Dummy-Admin-Area.html

[WHMCS Ryan]

Hello willow,

 

Thanks for bringing this to our attention. From looking at the pastebin it seems they have only the password hash and not the password itself. These hashes can only be decrypted using the hash from each unique installation and was most likely taken from outdated installs of WHMCS. We have contacted pastebin to have this info pulled immediately.

 

This serves as a solid reminder to always keep both your install of WHMCS and any server side software up to date. I also strongly advise the use of the guide octars linked as a way to further secure your install.

 

--Thanks

[numPhoenix]

I had an order placed by this person who left his trace as per the forum below.

From my findings the latest version would thus still be vulnerable. I have a few tickets which have been blocked so they are still attempting to use the script.

 

https://w w w.developers.prod.facebook.com/PeZeEf/posts/581469575304895

[Alex - Arvixe]

I had an order placed by this person who left his trace as per the forum below.

From my findings the latest version would thus still be vulnerable. I have a few tickets which have been blocked so they are still attempting to use the script.

 

https://w w w.developers.prod.facebook.com/PeZeEf/posts/581469575304895

 

Bare in mind, attempting to perform a patched vulnerability does not mean the vulnerability is still present in the latest version. Just, it won't be successful.

 

Has your WHMCS actually been compromised running the latest version?

[numPhoenix]

Well the order was placed via the script according to my info.

How far they got I would have to see as I have bloked the ips and tickets from entering the system.

Not really sure how to confirm other than trying to hack myself, as they supply the script.