Amazon bots attack after upgrade

[WizTech]

Within minutes of updating, I started getting notices of admin login failures. As that was the support ticket topic I had created with WHMCS.com because I couldn't get logged in, it scared me into thinking WHMCS was doing it. Now I realize that it did start within a few minutes of the upgrade and not after the support ticket.

 

So what the heck is going on? I've actually tried banning the ip addresses these are coming from but it keeps happening. Is there something in the new version that has opened the door to this?

 

I actually renamed the admin so that the admin login page can no longer be accessed so these are not actual admin login attempts by the way.

[WizTech]

The problem continues. I upgraded again hoping the problem would go away with the latest changes. I have changed my user and the admin folder name but still get these notices. The user name they are using is my original username that I changed that first day. What could be creating this problem? All of the ips (and there are an inexhaustible number of them) are from the amazon server - ec2-50-17-28-188.compute-1.amazonaws.com. Anybody got any ideas, suggestions? I would really like to stop getting these emails but don't want to turn off this function.

[WHMCS John]

Hi,

It sounds like someone might be using Amazon's cloud service to try brute-forcing your WHMCS installation. I would suggest ensuring you have a strong, unique, non-dictionary password. Also consider two factor authentication just in case they do manage to guess your password: http://docs.whmcs.com/Security_Modules

 

You might want to report these attempts to Amazon directly to see if they can cancel whoever's account is being used for this.

[WizTech]

I already had specific ip access only. Even though I started blocking the ips at the server level, I'm still getting the emails. Blocking them inside admin does stop them. I'm going to the two factor auth to make it even more secure. But that doesn't stop the emails from coming. My sys admin says the emails may be just delayed. I guess I'm going to turn off that but I really wasn't wanting to. At this point I don't even know if these are real attempts.

[vec]

I wish there was a way to remove the whole admin system to say a local computer...

[pierre]

Very interested in this. One of my sites was attacked but runs the latest WHMCS so no big worry, but this is organized crime scanning all sites running WHMCS they can put their dirty hands on. (Using email whmcs0day@gmail.com by the way...)

I work with some Amazon S3 / EC2 resources and have an account there - if anybody has infos on use by hackers feel free to report or share, I'm thinking they'd take that seriously.

 

- - - Updated - - -

 

And yes by the way, 2FA access should be a must.

[WizTech]

Mystery solved and it was benign. I had signed up for a trial of a service called zapier which uses the api key plus the email and password. I thought it was not running any longer and the password had been changed. So WHMCS is now detecting those failed api attempts. There I was trying to block a legitimate service!!!

 

And WHMCS support sent me in the right direction - towards the access logs. There in plain English it said Zapier. What a hassle!