Jump to content
Sign in to follow this  
keenguitar

Spam Account Keeps Registering

Recommended Posts

Hello everyone! The following occurs. User registers the following information in a Pending Order.

 

Order Information

 

Order ID: 17

Order Number: 7248213162

Date/Time: 09/13/2014 01:10

Invoice Number: 54

Payment Method: PayPal

 

Customer Information

 

Customer ID: 22

Name: Aganteng Rooterz

Email: kefiex404@gmail.com

Company: DMASTERPIECE

Address 1: dm

Address 2: dm

City: dm

State: Arizona

Postcode: 404404

Country: US

Phone Number: 086969696969

 

Order Items

 

Domain Registration: Register

Domain: kontol-ngaceng.com

First Payment Amount: $11.99 USD

Recurring Amount: $10.67 USD

Registration Period: 1 Year/s

 

Total Due Today: $11.99 USD

 

ISP Information

 

IP: 64.22.112.34

Host: rs30.abstractdns.com

 

http://mywhmcsinstall.com/admin/orders.php?action=view&id=17

 

Then I'll receive the following Email:

 

Client ID: 22 - Aganteng Rooterz has requested to change his/her details as indicated below:

 

First Name: 'Aganteng' to 'Andri'

Last Name: 'Rooterz' to 'Cyber4rt'

Address 1: 'dm' to 'AES_ENCRYPT(1,1), address1= (SELECT MIN(ipaddress) FROM tblservers)'

Address 2: 'dm' to 'AES_ENCRYPT(1,1), address2= (SELECT MIN(username) FROM tblservers)'

City: 'dm' to 'AES_ENCRYPT(1,1), city= (SELECT MIN(accesshash) FROM tblservers)'

Postcode: '404404' to 'dm'

Default Payment Method: '' to ''

How Did You Hear About Us?: 'Google' to ''

If you are unhappy with any of the changes, you need to login and revert them - this is the only record of the old details.

 

This change request was submitted from rs30.abstractdns.com (64.22.112.34)

Share this post


Link to post
Share on other sites

I'm also having the same issue. They try every other day to hack whmcs and I don't know whether they succeeded or not. Please advice anyone from WHMCS.

 

Order Information

 

Order ID: 75

Order Number: 8365462877

Date/Time: 14/09/2014 03:17

Invoice Number: 209

Payment Method: PayPal

 

Customer Information

 

Customer ID: 55

Name: Aganteng Rooterz

Email: kefiex404@gmail.com

Company: DMASTERPIECE

Address 1: dm

Address 2: dm

City: dm

State: Arizona

Postcode: 404404

Country: US

Phone Number: 086969696969

 

Order Items

 

Domain Registration: Register

Domain: kontol-ngaceng.com

First Payment Amount: €16,00 EUR

Recurring Amount: €16,00 EUR

Registration Period: 1 Year/s

 

Total Due Today: €16,00 EUR

 

ISP Information

 

IP: 64.22.112.34

Host: rs30.abstractdns.com

Share this post


Link to post
Share on other sites

Same here,

Its a script kiddie trying to take advantage of an old hack.

 

Would be nice to be able to ban the name (which is ALWAYS the same), as I'm getting about 3-4 of these per day currently.

Share this post


Link to post
Share on other sites

Same here,

Domain Registration: Register

Domain: hacked-by-dm-team.com

 

ISP Information:

IP: 173.214.177.80

Host: kvchosting.com LLC

 

 

Client Profile Modified - Address 1: 'admin' to 'AES_ENCRYPT(1,1), address1= (SELECT MIN(ipaddress) FROM tblservers)', Address 2: '6ab9915ca6ec710d229c23c2233b22cb' to 'AES_ENCRYPT(1,1), address2= (SELECT MIN(username) FROM tblservers)', City: 'dm' to 'AES_ENCRYPT(1,1), city= (SELECT MIN(accesshash) FROM tblservers)', Default Payment Method: '' to '' - User ID: 57

- 14/09/2014 21:34 - Client - 173.214.177.80

 

Client Profile Modified - First Name: 'Aganteng' to 'Andri', Last Name: 'Rooterz' to 'Cyber4rt', Address 1: 'dm' to 'AES_ENCRYPT(1,1), address1= (SELECT MIN(username) FROM tbladmins)', Address 2: 'dm' to 'AES_ENCRYPT(1,1), address2= (SELECT MIN(password) FROM tbladmins)', Postcode: '404404' to 'dm', Default Payment Method: '' to '' - User ID: 57

- 14/09/2014 21:32 - Client - 173.214.177.80

Share this post


Link to post
Share on other sites

Hello,

 

We are also getting these. Any solution?

 

Order Information

 

Order ID: 234

Order Number: 8861576794

Date/Time: 2014/09/17 06:48

Invoice Number: 901387

Payment Method: PayPal And Credit Card

 

Customer Information

 

Customer ID: 91

Name: Aganteng Rooterz

Email: DM@GMAIL.COM

Company: DMASTERPIECE

Address 1: dm

Address 2: dm

City: dm

State: Arizona

Postcode: 404404

Country: US

Phone Number: 086969696969

 

Order Items

 

Enregistrement d'un nom de domaine: Register

Domaine: hacked-by-dm-team.com

Montant du premier paiement: $14.50 CAD

Montant récurrent: $14.50 CAD

Durée d'enregistrement: 1 An/s

 

Total à payer aujourd'hui: $14.50 CAD

 

ISP Information

 

IP: 202.51.173.168

Host: kawasaki.intaserve.com

 

Client ID: 91 - Aganteng Rooterz has requested to change his/her details as indicated below:

 

First Name: 'Aganteng' to 'Andri'

Last Name: 'Rooterz' to 'Cyber4rt'

Address 1: 'dm' to 'AES_ENCRYPT(1,1), address1= (SELECT MAX(ipaddress) FROM tblservers)'

Address 2: 'dm' to 'AES_ENCRYPT(1,1), address2= (SELECT MAX(username) FROM tblservers)'

City: 'dm' to 'AES_ENCRYPT(1,1), city= (SELECT MAX(accesshash) FROM tblservers)'

Postcode: '404404' to 'dm'

Default Payment Method: '' to ''

If you are unhappy with any of the changes, you need to login and revert them - this is the only record of the old details.

 

This change request was submitted from kawasaki.intaserve.com (202.51.173.168)

Share this post


Link to post
Share on other sites

As long as your WHMCS install is up to date there is no security threat here. However, the annoying threat is quite high. You will want to enable Captcha under Setup --> General Settings --> Security. You can enable Fraud Protection, which is also under the Setup tab. This will check order as it is submitted to help ensure only valid orders get through. And you can always block the IPs of the orders as they come in.

 

Your can read more about Captch here and Fraud Protection here.

 

--Thanks

Share this post


Link to post
Share on other sites

Thanks Ryan,

 

I do my best to keep my WHMCS install up to date, but I don't know if they'll attempt to exploit between the time I know about the upgrade and the actual upload. I've been fortunate so far.

 

Would be nice to be able to ban the name (which is ALWAYS the same), as I'm getting about 3-4 of these per day currently.

 

Is there an addon for this? "Hacked by... " sounds to-the-point from my POV. I suppose if there was an addon that could check for certain keywords, that would be cool.

 

Have you tried blocking his IP ? or he comes with a new one every time ?

 

Sometimes it's from the same IP address, but it does change.

Share this post


Link to post
Share on other sites

uses diff IPs/hostnames

 

Dear ,Order Information

Order ID: 299

Order Number: 7240547371

Date/Time: 13/08/2014 20:26

Invoice Number: 14898

Payment Method: Mobile Payments

Customer Information

Customer ID: 168

Name: Aganteng Rooterz

Email: andriroot@gmail.com

Company: DMASTERPIECE

Address 1: JL SYNTAX ERROR

Address 2: JL SYNTAX ERROR

City: DM

State: Arizona

Postcode: 404404

Country: US

Phone Number: 086969696969

Order Items

Domain Registration: Register

Domain: hacked-by-dm-team.com

First Payment Amount: £7.49GBP

Recurring Amount: £7.99GBP

Registration Period: 1 Year/s

 

Total Due Today: £7.83GBP

ISP Information

IP: 75.127.126.17

 

Host: ns2.simpliq.net

 

Dear ,Order Information

Order ID: 301

Order Number: 5475154139

Date/Time: 07/09/2014 14:04

Invoice Number: 14916

Payment Method: Mobile Payments

Customer Information

Customer ID: 170

Name: Aganteng Rooterz

Email: DM@GMAIL.COM

Company: DMASTERPIECE

Address 1: JL SYNTAX ERROR

Address 2: JL SYNTAX ERROR

City: DM

State: Arizona

Postcode: 404404

Country: US

Phone Number: 086969696969

Order Items

Domain Registration: Register

Domain: hacked-by-dm-team.com

First Payment Amount: £7.49GBP

Recurring Amount: £7.99GBP

Registration Period: 1 Year/s

 

Total Due Today: £7.83GBP

ISP Information

IP: 173.214.177.80

 

Host: 173.214.177.80

 

Dear ,Order Information

Order ID: 302

Order Number: 5326142387

Date/Time: 09/09/2014 14:17

Invoice Number: 14921

Payment Method: Mobile Payments

Customer Information

Customer ID: 171

Name: Aganteng Rooterz

Email: IDUBEXP@GMAIL.COM

Company: DMASTERPIECE

Address 1: dm

Address 2: dm

City: dm

State: Arizona

Postcode: 404404

Country: US

Phone Number: 086969696969

Order Items

Domain Registration: Register

Domain: hacked-by-dm-team.com

First Payment Amount: £7.49GBP

Recurring Amount: £7.99GBP

Registration Period: 1 Year/s

 

Total Due Today: £7.83GBP

ISP Information

IP: 198.46.141.122

 

Host: server1.allsitecontrol.com

 

Maxmind marks the orders as fraud, so they dont get an active order

Share this post


Link to post
Share on other sites

What about a question captcha, that should do the trick if its a script running. I wrote one for mine it asks a question about something on the page so it has to be a human looking at the page in order to register. The secret is that you have to make your WHMCS as non standard as possible (and i say and mean that in a good way) because if they figure out how to get into a version out of the box, then your still safe because you not setup as per out of the box, if that makes sense.

Share this post


Link to post
Share on other sites
What about a question captcha, that should do the trick if its a script running. I wrote one for mine it asks a question about something on the page so it has to be a human looking at the page in order to register. The secret is that you have to make your WHMCS as non standard as possible (and i say and mean that in a good way) because if they figure out how to get into a version out of the box, then your still safe because you not setup as per out of the box, if that makes sense.

 

Its a human thats doing this. as Host: 173.214.177.80 is on singlehop network and i have a long chat with my account manager at singlehop who looked into the IP and stated they were already removed from their network as the account was setup and withing an hr of been set up they had several reports about this

Share this post


Link to post
Share on other sites

I received the same issue 2 times.

 

First Name Aganteng

Last Name Rooterz

Company Name DMASTERPIECE

Email Address ardaloka2@gmail.com

Address 1 dm

Address 2 dm

City dm

State/Region Arizona

Postcode 404404

Country US - United States

Phone Number 086969696969

 

Date: 24/09/2014 23:30

IP Address: 108.170.46.130

Host: cl2.jollyworkshosting.com

Share this post


Link to post
Share on other sites

For the last couple days I'm having the same guy registring on my WHMCS.

Aganteng Rooterz 5.199.171.28 09/24/2014 22:34

Aganteng Rooterz 204.93.159.77 09/24/2014 07:44

Aganteng Rooterz 202.51.173.168 09/11/2014 20:22

Aganteng Rooterz 75.127.126.17 08/27/2014 11:09

 

he uses the company name DMASTERPIECE

and email is always a @gmail.com account, trying to registry the domain: whmcs0day.com

 

How can I block someone to not registry at all?

I know that the IP is spoof so no sense in blocking the IP.

I wish I could something more real to block him.

Share this post


Link to post
Share on other sites

I had this account show up on my WHMCS this morning. Of note he tried changing his address as follows:

Address 1: 'dm' to 'AES_ENCRYPT(1,1), address1= (SELECT MIN(username) FROM tbladmins)'
Address 2: 'dm' to 'AES_ENCRYPT(1,1), address2= (SELECT MIN(password) FROM tbladmins)'
City: 'dm' to 'AES_ENCRYPT(1,1), city= (SELECT MAX(username) FROM tbladmins)'
State: 'Arizona' to 'AES_ENCRYPT(1,1), state= (SELECT MAX(password) FROM tbladmins)'

 

Obviously he is trying to get admin login credentials. I am running WHMCS 5.3.9 so would this type of attack have been successful? Hopefully WHMCS protects agains this type of SQL injection attack.

 

Best regards,

Eric

Share this post


Link to post
Share on other sites
For the last couple days I'm having the same guy registring on my WHMCS.

Aganteng Rooterz 5.199.171.28 09/24/2014 22:34

Aganteng Rooterz 204.93.159.77 09/24/2014 07:44

Aganteng Rooterz 202.51.173.168 09/11/2014 20:22

Aganteng Rooterz 75.127.126.17 08/27/2014 11:09

 

he uses the company name DMASTERPIECE

and email is always a @gmail.com account, trying to registry the domain: whmcs0day.com

 

How can I block someone to not registry at all?

I know that the IP is spoof so no sense in blocking the IP.

I wish I could something more real to block him.

 

 

I have the same problem too. even i have updated my whmcs to the latest 5.3.10 ( incremental patch from 5.3.9 ) and deleted the modules and registrars and gateways that i don't use. but anyway today he registered 2 domains with similiar details as yours.

I couldn't find any sign of logins to the admin panel , there is no log to admin panel IPs , there is just a customer who comes and registers this domains without completing the payment.

but the thing that is weird is that i have some custom fields in my whmcs , which is hidden for users . but those fields are getting filled to with the word "google" in all of them. so there is some kind of sql injection I think, but I couldn't find the sql query or a malicious file being uploaded on the server.

I have searched the recently changed files on the server and they were normal.

I have search the server apache access logs and here is the results from this new customer order ip :

 

( my admin folder is not default this first one doesn't exist )
204.93.159.77 - - [25/Sep/2014:15:24:16 ] "GET /admin/login.php HTTP/1.1" 302 213

204.93.159.77 - - [25/Sep/2014:15:24:18] "POST /cart.php?a=add&domain=register HTTP/1.1" 302 -
204.93.159.77 - - [25/Sep/2014:15:24:18 ] "GET /cart.php?a=confdomains HTTP/1.1" 200 31704
204.93.159.77 - - [25/Sep/2014:15:24:19 ] "POST /cart.php?a=confdomains HTTP/1.1" 302 -
204.93.159.77 - - [25/Sep/2014:15:24:20 ] "GET /cart.php?a=view HTTP/1.1" 200 33236
204.93.159.77 - - [25/Sep/2014:15:24:20 ] "POST /cart.php?a=checkout HTTP/1.1" 302 1
204.93.159.77 - - [25/Sep/2014:15:24:25 ] "POST /clientarea.php HTTP/1.1" 200 41354
204.93.159.77 - - [25/Sep/2014:15:24:30 ] "POST /dologin.php HTTP/1.1" 302 -
204.93.159.77 - - [25/Sep/2014:15:24:31 ] "GET /clientarea.php HTTP/1.1" 200 41354
204.93.159.77 - - [25/Sep/2014:15:24:32 ] "GET /clientarea.php?action=details HTTP/1.1" 200 48114
204.93.159.77 - - [25/Sep/2014:15:24:32 ] "POST /clientarea.php?action=details HTTP/1.1" 200 48539
204.93.159.77 - - [25/Sep/2014:15:24:33 ] "GET /clientarea.php?action=details HTTP/1.1" 200 48114
204.93.159.77 - - [25/Sep/2014:16:01:13 ] "GET /admin/licenseerror.php HTTP/1.1" 302 213
204.93.159.77 - - [25/Sep/2014:16:01:14 ] "POST /admin/licenseerror.php HTTP/1.1" 302 213
204.93.159.77 - - [25/Sep/2014:16:01:15 ] "GET /configuration.php HTTP/1.1" 200 -


 

still i am searching to find more signs of his activities that is almost on my site for 20 days.

Share this post


Link to post
Share on other sites

he's also been mentioned in this thread too - http://forum.whmcs.com/showthread.php?93239-Spam-Account-Keeps-Registering - and mentioned on numerous threads found via Google.

 

I think he's from Indonesia and just trying to exploit an old sql injection weakness of whmcs.

 

WHMCS's advice tends to be that as long as you are running the latest version you should be safe.

Share this post


Link to post
Share on other sites

Hello,

 

if You running WHMCS you may found there are created client accouts with user fields like:

 

AES_ENCRYPT(1,1), address1= (SELECT MAX(type) FROM tblservers)

 

and similar

 

Please how can i 100% sure no such injection, mysql etc hack thru bad phrasse in user address etc fields dont go thru?

 

Can i use some bad words for user fields, any existing mod?

 

i found this person who creating injection accounts using many IPs

Share this post


Link to post
Share on other sites

this has been reported on other threads too...

- Removed -

 

the general advice from whmcs tends to be that as long as you're using the latest version of whmcs, these sql injections shouldn't work - I think the hacker(s) are still using an old exploit that previous whmcs releases were vulnerable to.

 

Durangod has started a thread about a module in development that might help with this issue.

 

http://forum.whmcs.com/showthread.php?93607-Permanent-Global-Client-Ban-for-WHMCS

 

it might be worth keeping an eye on the thread to find out more details about the addon.

Edited by Infopro
Links Removed, Threads Merged Here

Share this post


Link to post
Share on other sites

I have been getting this as well, he is running an old exploit from WHMCS version 5.2.7 so as long as you are running a version more recent than that, you will be fine :D

Share this post


Link to post
Share on other sites

The guy doing this is placing an order and then cancelling the order so that he can access the client area. He is then logging into the system and attempting to hack away.

 

It would be nice if there was a way to prevent account access to people like this.

Share this post


Link to post
Share on other sites

I'm too receiving this frequently, only started happening recently. I'd like WHMCS to resolve this sooner rather than later....

Share this post


Link to post
Share on other sites

i hate to be the giver of bad news, but WHMCS probably has no intention of fixing 5.2 as its past its end of life im pretty sure. That means that in order to fix this you should be upgrading your versions when new upgrades come out instead of sitting back on your hands running a dinasaur version. If you are going to stay with that old version you have a few choices.

 

First - roll your sleeves up and fix the sql injection bug.

Second - hire someone to do that for you

Third - keep doing the same thing your doing now (i hear they say that is the meaning of insanity lol)

Forth - hope they give up and go bother someone else.

 

 

for those of you on 5.2 please read

 

http://docs.whmcs.com/Long_Term_Support#WHMCS_Version_.26_LTS_Schedule

 

- - - Updated - - -

 

@mosterweb im working on it as fast as i can adding some new features now. I promise 15 hour days on this ill have it for you asap..

 

im referring to this of course.

 

http://forum.whmcs.com/showthread.php?93607-Permanent-Global-Client-Ban-for-WHMCS

 

- - - Updated - - -

 

Now what WHMCS could do to help all of us is to come up with some mod security rules, even basic ones, that we would use to assist us all with this issue. This issue is not and never was and never will be a single pronged battle. It takes several ways of attaching this to keep it under control..

Edited by durangod

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

  • Similar Content

    • By TheHackRepairGuy
      For a while there I thought the bogus account creation was behind us.
      But in the past few months I've seen a major uptick in bogus European new account creation.
      Some bot out there are mass injecting new accounts nearly constantly. 

      Anyone one else seeing this?

      I see no way to stop it.
      Anyone have recommendations on reducing the number of injected accounts into WHMCS?

      Thanks.
    • By plateaultd
      I have submitted a feature request for WHMCS to make SQL injection hacks harder.
       
      https://requests.whmcs.com/responses/making-sql-injection-attacks-harder-for-hackers
       
      If you think this is a good idea, please review and comment on the suggestion and let WHMCS that this is a good idea.
       
      Any other suggestions are always welcome to make it harder for hackers to ruin our day.
    • By menkom
      Hello,
       
      Due to recent hacks going around with whmcs, i wanted to investigate further and see if there was anything else that could be done to prevent getting hacked.
       
      I have easily found some information on the internet on how we were hacked by recent exploits in whmcs versions 5.2.3 and above. With sql injections its all easily done.
       
      We are now using two factor auth, and also following setups in this document to further secure the whmcs installation which will help. If you have not done so already i suggest you get it done a.s.a.p
       
      http://docs.whmcs.com/Further_Security_Steps
       
      I have found something that needs attention immediately, many attackers use google to search for sites to exploit using the inurl command, doing a search like this.
       
      whmcs inurl:clientarea.php
       
      will give plently of results and potential people to hack.
       
      One easy thing to do that i really cant believe has not been done or should at least be an option is to protect all whmcs files for being indexed, i mean if you cant find them in the first place then it is much harder to exploit in the first place ?
       
      <meta name="robots" content="noindex">
       
      In the header template file will allow this feature to not show up on any Google result at all, no matter if its linked from external sites.
       
      Some people like to SEO Whmcs ? why i ask, its your billing system and probably the dumbest thing you can do especially since we all know its not exactly secure. If you want to SEO, use your blog or your main website to do the marketing your portal should be as protected and hidden as possible for your clients ONLY.
       
      It would be good to see this new option maybe in the GENERAL OPTIONS, SECURITY TAB in Whmcs.
       
      If anyone else has anything that can help with securing whmcs in general please share.
       
      EDIT: I also just found this option within WHMCS GENERAL SETTINGS -> OTHER TAB that should be unchecked.
       
      Tick this box to allow registration without ordering any products/services
       
      The most recent vulnerability in 5.2.10 allows someone that has access to the clientarea.php to use an SQL injection. By unchecking this basically means they will need to purchase something before becoming a client.
       
      Cheers
      Mitch
    • By paperweight
      I noticed a problem over recent weeks that has become much much more worrisome in recent days with lots of spammy registered users at my site. Most of these spammy email addresses are not actually TLDs, such as the email address jhvgyr65ytghv@mmmmmm.mmm that was recently registered today. How did that email address get past WHMCS validation??
       
      Is there somethign wrong with my WHMCS setup? Why is an email address at mmmmmm.mmm allowed to be registered? It should fail on validation, correct?
    • By fish911
      Hi First let me say if this is posted in the wrong location , please advice me of the correct thread and I will repost the topic..
       
      I'm new to whmcs, my problem is I have been getting lot's of bogus accounts being made since last night, as soon as I remove / delete the account and block the IP another one or two is created.. I have my settings set to purchased must be completed before a new membership can be made. How can I prevent new accounts from being made?
       
      They are using emails and usernames such as
       
      Email Address: whmcs0day@gmail.com
      Password: whmcs0day@gmail.com
       
      Also user-names such as 404/403
       
      I read as much as I could about this and learned it's some kind of man in the middle? Trying dump my account holders CC information?
       
      Can someone please tell me the steps or point me in the correct direction to prevent this 0-day attack crap. I really need to prevent this and protect my clients data
       
      Thanks for any help in advance
       
      Fish911
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated