Spam Account Keeps Registering

[keenguitar]

Hello everyone! The following occurs. User registers the following information in a Pending Order.

 

Order Information

 

Order ID: 17

Order Number: 7248213162

Date/Time: 09/13/2014 01:10

Invoice Number: 54

Payment Method: PayPal

 

Customer Information

 

Customer ID: 22

Name: Aganteng Rooterz

Email: kefiex404@gmail.com

Company: DMASTERPIECE

Address 1: dm

Address 2: dm

City: dm

State: Arizona

Postcode: 404404

Country: US

Phone Number: 086969696969

 

Order Items

 

Domain Registration: Register

Domain: kontol-ngaceng.com

First Payment Amount: $11.99 USD

Recurring Amount: $10.67 USD

Registration Period: 1 Year/s

 

Total Due Today: $11.99 USD

 

ISP Information

 

IP: 64.22.112.34

Host: rs30.abstractdns.com

 

http://mywhmcsinstall.com/admin/orders.php?action=view&id=17

 

Then I'll receive the following Email:

 

Client ID: 22 - Aganteng Rooterz has requested to change his/her details as indicated below:

 

First Name: 'Aganteng' to 'Andri'

Last Name: 'Rooterz' to 'Cyber4rt'

Address 1: 'dm' to 'AES_ENCRYPT(1,1), address1= (SELECT MIN(ipaddress) FROM tblservers)'

Address 2: 'dm' to 'AES_ENCRYPT(1,1), address2= (SELECT MIN(username) FROM tblservers)'

City: 'dm' to 'AES_ENCRYPT(1,1), city= (SELECT MIN(accesshash) FROM tblservers)'

Postcode: '404404' to 'dm'

Default Payment Method: '' to ''

How Did You Hear About Us?: 'Google' to ''

If you are unhappy with any of the changes, you need to login and revert them - this is the only record of the old details.

 

This change request was submitted from rs30.abstractdns.com (64.22.112.34)

[cre8]

I'm also having the same issue. They try every other day to hack whmcs and I don't know whether they succeeded or not. Please advice anyone from WHMCS.

 

Order Information

 

Order ID: 75

Order Number: 8365462877

Date/Time: 14/09/2014 03:17

Invoice Number: 209

Payment Method: PayPal

 

Customer Information

 

Customer ID: 55

Name: Aganteng Rooterz

Email: kefiex404@gmail.com

Company: DMASTERPIECE

Address 1: dm

Address 2: dm

City: dm

State: Arizona

Postcode: 404404

Country: US

Phone Number: 086969696969

 

Order Items

 

Domain Registration: Register

Domain: kontol-ngaceng.com

First Payment Amount: €16,00 EUR

Recurring Amount: €16,00 EUR

Registration Period: 1 Year/s

 

Total Due Today: €16,00 EUR

 

ISP Information

 

IP: 64.22.112.34

Host: rs30.abstractdns.com

[tandyuk]

Same here,

Its a script kiddie trying to take advantage of an old hack.

 

Would be nice to be able to ban the name (which is ALWAYS the same), as I'm getting about 3-4 of these per day currently.

[PascM]

Have you tried blocking his IP ? or he comes with a new one every time ?

[devact]

Same here,

Domain Registration: Register

Domain: hacked-by-dm-team.com

 

ISP Information:

IP: 173.214.177.80

Host: kvchosting.com LLC

 

 

Client Profile Modified - Address 1: 'admin' to 'AES_ENCRYPT(1,1), address1= (SELECT MIN(ipaddress) FROM tblservers)', Address 2: '6ab9915ca6ec710d229c23c2233b22cb' to 'AES_ENCRYPT(1,1), address2= (SELECT MIN(username) FROM tblservers)', City: 'dm' to 'AES_ENCRYPT(1,1), city= (SELECT MIN(accesshash) FROM tblservers)', Default Payment Method: '' to '' - User ID: 57

- 14/09/2014 21:34 - Client - 173.214.177.80

 

Client Profile Modified - First Name: 'Aganteng' to 'Andri', Last Name: 'Rooterz' to 'Cyber4rt', Address 1: 'dm' to 'AES_ENCRYPT(1,1), address1= (SELECT MIN(username) FROM tbladmins)', Address 2: 'dm' to 'AES_ENCRYPT(1,1), address2= (SELECT MIN(password) FROM tbladmins)', Postcode: '404404' to 'dm', Default Payment Method: '' to '' - User ID: 57

- 14/09/2014 21:32 - Client - 173.214.177.80

[Nexwave]

Hello,

 

We are also getting these. Any solution?

 

Order Information

 

Order ID: 234

Order Number: 8861576794

Date/Time: 2014/09/17 06:48

Invoice Number: 901387

Payment Method: PayPal And Credit Card

 

Customer Information

 

Customer ID: 91

Name: Aganteng Rooterz

Email: DM@GMAIL.COM

Company: DMASTERPIECE

Address 1: dm

Address 2: dm

City: dm

State: Arizona

Postcode: 404404

Country: US

Phone Number: 086969696969

 

Order Items

 

Enregistrement d'un nom de domaine: Register

Domaine: hacked-by-dm-team.com

Montant du premier paiement: $14.50 CAD

Montant récurrent: $14.50 CAD

Durée d'enregistrement: 1 An/s

 

Total à payer aujourd'hui: $14.50 CAD

 

ISP Information

 

IP: 202.51.173.168

Host: kawasaki.intaserve.com

 

Client ID: 91 - Aganteng Rooterz has requested to change his/her details as indicated below:

 

First Name: 'Aganteng' to 'Andri'

Last Name: 'Rooterz' to 'Cyber4rt'

Address 1: 'dm' to 'AES_ENCRYPT(1,1), address1= (SELECT MAX(ipaddress) FROM tblservers)'

Address 2: 'dm' to 'AES_ENCRYPT(1,1), address2= (SELECT MAX(username) FROM tblservers)'

City: 'dm' to 'AES_ENCRYPT(1,1), city= (SELECT MAX(accesshash) FROM tblservers)'

Postcode: '404404' to 'dm'

Default Payment Method: '' to ''

If you are unhappy with any of the changes, you need to login and revert them - this is the only record of the old details.

 

This change request was submitted from kawasaki.intaserve.com (202.51.173.168)

[WHMCS Ryan]

As long as your WHMCS install is up to date there is no security threat here. However, the annoying threat is quite high. You will want to enable Captcha under Setup --> General Settings --> Security. You can enable Fraud Protection, which is also under the Setup tab. This will check order as it is submitted to help ensure only valid orders get through. And you can always block the IPs of the orders as they come in.

 

Your can read more about Captch here and Fraud Protection here.

 

--Thanks

[tundasrl]

I got captcha enabled but it still can register and place orders

[keenguitar]

Thanks Ryan,

 

I do my best to keep my WHMCS install up to date, but I don't know if they'll attempt to exploit between the time I know about the upgrade and the actual upload. I've been fortunate so far.

 

Would be nice to be able to ban the name (which is ALWAYS the same), as I'm getting about 3-4 of these per day currently.

 

Is there an addon for this? "Hacked by... " sounds to-the-point from my POV. I suppose if there was an addon that could check for certain keywords, that would be cool.

 

Have you tried blocking his IP ? or he comes with a new one every time ?

 

Sometimes it's from the same IP address, but it does change.

[easyhosting]

uses diff IPs/hostnames

 

Dear ,Order Information

Order ID: 299

Order Number: 7240547371

Date/Time: 13/08/2014 20:26

Invoice Number: 14898

Payment Method: Mobile Payments

Customer Information

Customer ID: 168

Name: Aganteng Rooterz

Email: andriroot@gmail.com

Company: DMASTERPIECE

Address 1: JL SYNTAX ERROR

Address 2: JL SYNTAX ERROR

City: DM

State: Arizona

Postcode: 404404

Country: US

Phone Number: 086969696969

Order Items

Domain Registration: Register

Domain: hacked-by-dm-team.com

First Payment Amount: £7.49GBP

Recurring Amount: £7.99GBP

Registration Period: 1 Year/s

 

Total Due Today: £7.83GBP

ISP Information

IP: 75.127.126.17

 

Host: ns2.simpliq.net

 

Dear ,Order Information

Order ID: 301

Order Number: 5475154139

Date/Time: 07/09/2014 14:04

Invoice Number: 14916

Payment Method: Mobile Payments

Customer Information

Customer ID: 170

Name: Aganteng Rooterz

Email: DM@GMAIL.COM

Company: DMASTERPIECE

Address 1: JL SYNTAX ERROR

Address 2: JL SYNTAX ERROR

City: DM

State: Arizona

Postcode: 404404

Country: US

Phone Number: 086969696969

Order Items

Domain Registration: Register

Domain: hacked-by-dm-team.com

First Payment Amount: £7.49GBP

Recurring Amount: £7.99GBP

Registration Period: 1 Year/s

 

Total Due Today: £7.83GBP

ISP Information

IP: 173.214.177.80

 

Host: 173.214.177.80

 

Dear ,Order Information

Order ID: 302

Order Number: 5326142387

Date/Time: 09/09/2014 14:17

Invoice Number: 14921

Payment Method: Mobile Payments

Customer Information

Customer ID: 171

Name: Aganteng Rooterz

Email: IDUBEXP@GMAIL.COM

Company: DMASTERPIECE

Address 1: dm

Address 2: dm

City: dm

State: Arizona

Postcode: 404404

Country: US

Phone Number: 086969696969

Order Items

Domain Registration: Register

Domain: hacked-by-dm-team.com

First Payment Amount: £7.49GBP

Recurring Amount: £7.99GBP

Registration Period: 1 Year/s

 

Total Due Today: £7.83GBP

ISP Information

IP: 198.46.141.122

 

Host: server1.allsitecontrol.com

 

Maxmind marks the orders as fraud, so they dont get an active order

[durangod]

What about a question captcha, that should do the trick if its a script running. I wrote one for mine it asks a question about something on the page so it has to be a human looking at the page in order to register. The secret is that you have to make your WHMCS as non standard as possible (and i say and mean that in a good way) because if they figure out how to get into a version out of the box, then your still safe because you not setup as per out of the box, if that makes sense.

[easyhosting]

What about a question captcha, that should do the trick if its a script running. I wrote one for mine it asks a question about something on the page so it has to be a human looking at the page in order to register. The secret is that you have to make your WHMCS as non standard as possible (and i say and mean that in a good way) because if they figure out how to get into a version out of the box, then your still safe because you not setup as per out of the box, if that makes sense.

 

Its a human thats doing this. as Host: 173.214.177.80 is on singlehop network and i have a long chat with my account manager at singlehop who looked into the IP and stated they were already removed from their network as the account was setup and withing an hr of been set up they had several reports about this

[Revolution]

We just received the exact same one today as well. Same info was used.

[thananit]

I received the same issue 2 times.

 

First Name Aganteng

Last Name Rooterz

Company Name DMASTERPIECE

Email Address ardaloka2@gmail.com

Address 1 dm

Address 2 dm

City dm

State/Region Arizona

Postcode 404404

Country US - United States

Phone Number 086969696969

 

Date: 24/09/2014 23:30

IP Address: 108.170.46.130

Host: cl2.jollyworkshosting.com

[ehm]

For the last couple days I'm having the same guy registring on my WHMCS.

Aganteng Rooterz 5.199.171.28 09/24/2014 22:34

Aganteng Rooterz 204.93.159.77 09/24/2014 07:44

Aganteng Rooterz 202.51.173.168 09/11/2014 20:22

Aganteng Rooterz 75.127.126.17 08/27/2014 11:09

 

he uses the company name DMASTERPIECE

and email is always a @gmail.com account, trying to registry the domain: whmcs0day.com

 

How can I block someone to not registry at all?

I know that the IP is spoof so no sense in blocking the IP.

I wish I could something more real to block him.

[mlew2]

If this is ready to go http://forum.whmcs.com/showthread.php?93607-Permanent-Global-Client-Ban-for-WHMCS&p=393063#post393063 it sounds like the thing you might need

[ejmerkel]

I had this account show up on my WHMCS this morning. Of note he tried changing his address as follows:

Address 1: 'dm' to 'AES_ENCRYPT(1,1), address1= (SELECT MIN(username) FROM tbladmins)'
Address 2: 'dm' to 'AES_ENCRYPT(1,1), address2= (SELECT MIN(password) FROM tbladmins)'
City: 'dm' to 'AES_ENCRYPT(1,1), city= (SELECT MAX(username) FROM tbladmins)'
State: 'Arizona' to 'AES_ENCRYPT(1,1), state= (SELECT MAX(password) FROM tbladmins)'

 

Obviously he is trying to get admin login credentials. I am running WHMCS 5.3.9 so would this type of attack have been successful? Hopefully WHMCS protects agains this type of SQL injection attack.

 

Best regards,

Eric

[LAZer414]

For the last couple days I'm having the same guy registring on my WHMCS.

Aganteng Rooterz 5.199.171.28 09/24/2014 22:34

Aganteng Rooterz 204.93.159.77 09/24/2014 07:44

Aganteng Rooterz 202.51.173.168 09/11/2014 20:22

Aganteng Rooterz 75.127.126.17 08/27/2014 11:09

 

he uses the company name DMASTERPIECE

and email is always a @gmail.com account, trying to registry the domain: whmcs0day.com

 

How can I block someone to not registry at all?

I know that the IP is spoof so no sense in blocking the IP.

I wish I could something more real to block him.

 

 

I have the same problem too. even i have updated my whmcs to the latest 5.3.10 ( incremental patch from 5.3.9 ) and deleted the modules and registrars and gateways that i don't use. but anyway today he registered 2 domains with similiar details as yours.

I couldn't find any sign of logins to the admin panel , there is no log to admin panel IPs , there is just a customer who comes and registers this domains without completing the payment.

but the thing that is weird is that i have some custom fields in my whmcs , which is hidden for users . but those fields are getting filled to with the word "google" in all of them. so there is some kind of sql injection I think, but I couldn't find the sql query or a malicious file being uploaded on the server.

I have searched the recently changed files on the server and they were normal.

I have search the server apache access logs and here is the results from this new customer order ip :

 

( my admin folder is not default this first one doesn't exist )
204.93.159.77 - - [25/Sep/2014:15:24:16 ] "GET /admin/login.php HTTP/1.1" 302 213

204.93.159.77 - - [25/Sep/2014:15:24:18] "POST /cart.php?a=add&domain=register HTTP/1.1" 302 -
204.93.159.77 - - [25/Sep/2014:15:24:18 ] "GET /cart.php?a=confdomains HTTP/1.1" 200 31704
204.93.159.77 - - [25/Sep/2014:15:24:19 ] "POST /cart.php?a=confdomains HTTP/1.1" 302 -
204.93.159.77 - - [25/Sep/2014:15:24:20 ] "GET /cart.php?a=view HTTP/1.1" 200 33236
204.93.159.77 - - [25/Sep/2014:15:24:20 ] "POST /cart.php?a=checkout HTTP/1.1" 302 1
204.93.159.77 - - [25/Sep/2014:15:24:25 ] "POST /clientarea.php HTTP/1.1" 200 41354
204.93.159.77 - - [25/Sep/2014:15:24:30 ] "POST /dologin.php HTTP/1.1" 302 -
204.93.159.77 - - [25/Sep/2014:15:24:31 ] "GET /clientarea.php HTTP/1.1" 200 41354
204.93.159.77 - - [25/Sep/2014:15:24:32 ] "GET /clientarea.php?action=details HTTP/1.1" 200 48114
204.93.159.77 - - [25/Sep/2014:15:24:32 ] "POST /clientarea.php?action=details HTTP/1.1" 200 48539
204.93.159.77 - - [25/Sep/2014:15:24:33 ] "GET /clientarea.php?action=details HTTP/1.1" 200 48114
204.93.159.77 - - [25/Sep/2014:16:01:13 ] "GET /admin/licenseerror.php HTTP/1.1" 302 213
204.93.159.77 - - [25/Sep/2014:16:01:14 ] "POST /admin/licenseerror.php HTTP/1.1" 302 213
204.93.159.77 - - [25/Sep/2014:16:01:15 ] "GET /configuration.php HTTP/1.1" 200 -

 

still i am searching to find more signs of his activities that is almost on my site for 20 days.

[brian!]

he's also been mentioned in this thread too - http://forum.whmcs.com/showthread.php?93239-Spam-Account-Keeps-Registering - and mentioned on numerous threads found via Google.

 

I think he's from Indonesia and just trying to exploit an old sql injection weakness of whmcs.

 

WHMCS's advice tends to be that as long as you are running the latest version you should be safe.

[postcd]

Hello,

 

if You running WHMCS you may found there are created client accouts with user fields like:

 

AES_ENCRYPT(1,1), address1= (SELECT MAX(type) FROM tblservers)

 

and similar

 

Please how can i 100% sure no such injection, mysql etc hack thru bad phrasse in user address etc fields dont go thru?

 

Can i use some bad words for user fields, any existing mod?

 

i found this person who creating injection accounts using many IPs

[brian!]

this has been reported on other threads too...

- Removed -

 

the general advice from whmcs tends to be that as long as you're using the latest version of whmcs, these sql injections shouldn't work - I think the hacker(s) are still using an old exploit that previous whmcs releases were vulnerable to.

 

Durangod has started a thread about a module in development that might help with this issue.

 

http://forum.whmcs.com/showthread.php?93607-Permanent-Global-Client-Ban-for-WHMCS

 

it might be worth keeping an eye on the thread to find out more details about the addon.

Edited September 26, 2014 by Infopro
Links Removed, Threads Merged Here

[OstlerDev]

I have been getting this as well, he is running an old exploit from WHMCS version 5.2.7 so as long as you are running a version more recent than that, you will be fine

[monsterweb]

The guy doing this is placing an order and then cancelling the order so that he can access the client area. He is then logging into the system and attempting to hack away.

 

It would be nice if there was a way to prevent account access to people like this.

[multimix]

I'm too receiving this frequently, only started happening recently. I'd like WHMCS to resolve this sooner rather than later....

[durangod]

i hate to be the giver of bad news, but WHMCS probably has no intention of fixing 5.2 as its past its end of life im pretty sure. That means that in order to fix this you should be upgrading your versions when new upgrades come out instead of sitting back on your hands running a dinasaur version. If you are going to stay with that old version you have a few choices.

 

First - roll your sleeves up and fix the sql injection bug.

Second - hire someone to do that for you

Third - keep doing the same thing your doing now (i hear they say that is the meaning of insanity lol)

Forth - hope they give up and go bother someone else.

 

 

for those of you on 5.2 please read

 

http://docs.whmcs.com/Long_Term_Support#WHMCS_Version_.26_LTS_Schedule

 

- - - Updated - - -

 

@mosterweb im working on it as fast as i can adding some new features now. I promise 15 hour days on this ill have it for you asap..

 

im referring to this of course.

 

http://forum.whmcs.com/showthread.php?93607-Permanent-Global-Client-Ban-for-WHMCS

 

- - - Updated - - -

 

Now what WHMCS could do to help all of us is to come up with some mod security rules, even basic ones, that we would use to assist us all with this issue. This issue is not and never was and never will be a single pronged battle. It takes several ways of attaching this to keep it under control..

Edited September 25, 2014 by durangod