Jump to content

Amazon bots attack after upgrade


Recommended Posts

Within minutes of updating, I started getting notices of admin login failures. As that was the support ticket topic I had created with WHMCS.com because I couldn't get logged in, it scared me into thinking WHMCS was doing it. Now I realize that it did start within a few minutes of the upgrade and not after the support ticket.


So what the heck is going on? I've actually tried banning the ip addresses these are coming from but it keeps happening. Is there something in the new version that has opened the door to this?


I actually renamed the admin so that the admin login page can no longer be accessed so these are not actual admin login attempts by the way.

Link to comment
Share on other sites

  • 3 weeks later...

The problem continues. I upgraded again hoping the problem would go away with the latest changes. I have changed my user and the admin folder name but still get these notices. The user name they are using is my original username that I changed that first day. What could be creating this problem? All of the ips (and there are an inexhaustible number of them) are from the amazon server - ec2-50-17-28-188.compute-1.amazonaws.com. Anybody got any ideas, suggestions? I would really like to stop getting these emails but don't want to turn off this function.

Link to comment
Share on other sites

  • WHMCS Support Manager


It sounds like someone might be using Amazon's cloud service to try brute-forcing your WHMCS installation. I would suggest ensuring you have a strong, unique, non-dictionary password. Also consider two factor authentication just in case they do manage to guess your password: http://docs.whmcs.com/Security_Modules


You might want to report these attempts to Amazon directly to see if they can cancel whoever's account is being used for this.

Link to comment
Share on other sites

I already had specific ip access only. Even though I started blocking the ips at the server level, I'm still getting the emails. Blocking them inside admin does stop them. I'm going to the two factor auth to make it even more secure. But that doesn't stop the emails from coming. My sys admin says the emails may be just delayed. I guess I'm going to turn off that but I really wasn't wanting to. At this point I don't even know if these are real attempts.

Link to comment
Share on other sites

Very interested in this. One of my sites was attacked but runs the latest WHMCS so no big worry, but this is organized crime scanning all sites running WHMCS they can put their dirty hands on. (Using email whmcs0day@gmail.com by the way...)

I work with some Amazon S3 / EC2 resources and have an account there - if anybody has infos on use by hackers feel free to report or share, I'm thinking they'd take that seriously.


- - - Updated - - -


And yes by the way, 2FA access should be a must.

Link to comment
Share on other sites

Mystery solved and it was benign. I had signed up for a trial of a service called zapier which uses the api key plus the email and password. I thought it was not running any longer and the password had been changed. So WHMCS is now detecting those failed api attempts. There I was trying to block a legitimate service!!!


And WHMCS support sent me in the right direction - towards the access logs. There in plain English it said Zapier. What a hassle!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated