Spam Account Keeps Registering

[sheldows]

What good is a forum, when i try to post something about the error, and it never makes it up?

 

- - - Updated - - -

 

IP: 192.185.83.183

Host: nikken.websitewelcome.com

 

 

IP: 198.1.95.93

Host: cms.cmshelplive.net

 

 

 

i would post more details, but the forum is c-blocking me.

 

- - - Updated - - -

 

I did talk to hostgator, and opened up a ticket (was erlier this week) when i first saw this problem

[Infopro]

What good is posting the same details over and over again? This thread is 4 pages long with the same details basically, posted many times.

 

Making sure your WHMCS installation is fully up to date and secured properly is more important than us seeing failed attempts on your system.

[durangod]

what does c stand for in c-blocked, must be customer lol

[Derry]

Information About : SYNTAX ERROR / DMASTERPIECE (DM)

he wears Email:

DM@GMAIL.COM

ritatea0@gmail.com

whmcs0day@gmail.com

Attachment 7519

 

 

Original Email Use: yudy.net@GMAIL.COM / andri.cyber4rt@GMAIL.COM

Original name: Yudhy / Andri

 

Web: http://www.yudhy.org/

Not Licency: http://www.whmcs.com/members/verifydomain.php

tamplate steals in: https://www.igreenhosting.net/

Original telpone: +62.85778612846 / +62.87833360660

 

Be aware of this guy using WHMCS 5.2 Exploit>

It can help a little prevention.

[hostingclick]

Hi

 

I keep getting every single day some body trying to hack in to my whmcs. I have deleted his data now but i think its Cyberart or something like that and the domain he keeps trying to register is whmcs0day.com or something like that.

 

how can i stop t his from happening? Is there any Added security that a user can input or anything to stop people like this?

 

Its only once a day but he may end up getting in one day and i dont like the sound of that.

 

Next time he does it i will post his details up

Thank You

Dave

 

- - - Updated - - -

 

Just as i hit submit i find an old email

 

Client ID: "number" - Aganteng Rooterz has requested to change his/her details as indicated below:

 

First Name: 'Aganteng' to 'Andri'

Last Name: 'Rooterz' to 'Cyber4rt'

Address 1: 'dm' to 'AES_ENCRYPT(1,1), address1= (SELECT MIN(username) FROM tbladmins)'

Address 2: 'dm' to 'AES_ENCRYPT(1,1), address2= (SELECT MIN(password) FROM tbladmins)'

City: 'dm' to 'AES_ENCRYPT(1,1), city= (SELECT MAX(username) FROM tbladmins)'

State: 'Arizona' to 'AES_ENCRYPT(1,1), state= (SELECT MAX(password) FROM tbladmins)'

Postcode: '404404' to '40404'

Default Payment Method: '' to ''

If you are unhappy with any of the changes, you need to login and revert them - this is the only record of the old details.

 

This change request was submitted from ls1.dynxx.com (69.167.154.68)

[AssociatedVOIP]

These attacks are coming from HostGator accounts.

I've opened a ticket and given them the details, but I'm no longer confident they will do anything, as their service has really gone down hill since ownership changed.

 

Maybe if we flood their security department with tickets/emails they might do something about it...?

 

In the mean time, I've tried to create a custom hook to test the sld submitted in the order process, but for some reason when I upload it to the includes/hooks/ directory, it makes my whmcs go white.

 

Any ideas? WHMCS?

And, can someone post a code that will block the "dm-team" from even being able to register an account?

Because they always register prior to placing the fraud order.

 

<pre>

<?php

 

if (!defined("WHMCS")) die("This file cannot be accessed directly");

 

function string_check($vars) {

$domian = $vars['sld'];

if ((strpos($domain, 'hacked') !== false) || (strpos($domain, 'dm-team') !== false) {

$adminuser = "adminnamehere";

 

$command = "addbannedip";

$params["reason"] = "do not like these folks";

$params["days"] = "365";

$params["ip"] = "191.191.191.191"; // would run code to determine

$results = localAPI($command,$params,$adminuser);

 

$command = "logactivity";

$value["description"] = "custom sld validation called.";

$results = localAPI($command,$value,$adminuser);

}

}

 

add_hook("ShoppingCartValidateDomain",2,"string_check");

 

?>

</pre>

Edited October 26, 2014 by AssociatedVOIP
update

[swinghosting]

A couple times a year, I see a hacking attempt. They always start by creating a user account/order. I modified my template's cart template to show only a link to the login page if user is not logged in. Unfortunately, that doesn't do anything against attackers. Today, a hacker created an order without logging in and then attempted SQL injection by changing profile data. Log looked liked this:

 

[26/Oct/2014:08:26:09 -0500] "GET /account/cart.php?a=add&domain=register HTTP/1.1"

[26/Oct/2014:08:26:09 -0500] "POST /account/cart.php?a=add&domain=register HTTP/1.1"

[26/Oct/2014:08:26:10 -0500] "GET /account/cart.php?a=confdomains HTTP/1.1"

[26/Oct/2014:08:26:10 -0500] "POST /account/cart.php?a=confdomains HTTP/1.1"

[26/Oct/2014:08:26:10 -0500] "GET /account/cart.php?a=view HTTP/1.1"

[26/Oct/2014:08:26:11 -0500] "POST /account/cart.php?a=checkout HTTP/1.1"

[26/Oct/2014:08:26:13 -0500] "GET /account/cart.php?a=complete HTTP/1.1"

[26/Oct/2014:08:26:13 -0500] "GET /account/viewinvoice.php?id=258 HTTP/1.1"

[26/Oct/2014:08:26:14 -0500] "GET /account/clientarea.php HTTP/1.1"

[26/Oct/2014:08:26:14 -0500] "POST /account/dologin.php HTTP/1.1"

[26/Oct/2014:08:26:15 -0500] "GET /account/clientarea.php HTTP/1.1"

[26/Oct/2014:08:26:15 -0500] "GET /account/clientarea.php?action=details HTTP/1.1"

[26/Oct/2014:08:26:15 -0500] "POST /account/clientarea.php?action=details HTTP/1.1"

[26/Oct/2014:08:26:16 -0500] "GET /account/clientarea.php?action=details HTTP/1.1"

 

After creating the order, they attempted to get admin login info by changing their user data (excerpt from WHMCS User Details Change notification email):

 

Address 1: 'dm' to 'AES_ENCRYPT(1,1), address1= (SELECT MIN(username) FROM tbladmins)'

Address 2: 'dm' to 'AES_ENCRYPT(1,1), address2= (SELECT MIN(password) FROM tbladmins)'

 

Before I get to customizations to guard against this, there are three issues I see immediately:

 

1. WHMCS should realize this activity is too fast for a human to complete.
   
2. Good God, why have they still not implemented randomized table prefixes?!
   
3. Good God, why are they not using nonce?
   

 

It would be nice if WHMCS had an option to disable anonymous orders. Is there a modification I can make to achieve this? If they used nonce, my existing modifications would be sufficient, but my changes are useless if an attacker can simply submit an order directly via POST.

 

Thanks for any suggestions!

[WebzPro]

see http://forum.whmcs.com/showthread.php?93239-Spam-Account-Keeps-Registering

[Hein]

Yep, same issue here.

And we use some extra verifications so the mail address must work etc, still get these registrations a couple of times a week.

A solution would be nice, finally

[Cain72]

just do what i do ... block the entire country .. lol

 

Cain

[sitesme]

Same here... just happened today for the first time. IP banned and account deleted. I'm using the latest WHMCS version.

Any finding on how to avoid this?

[AssociatedVOIP]

I've modified the code, so at least the api call is made...

but nothing happens!

 

PLEASE TAKE A LOOK AND TELL ME WHAT I'M DOING WRONG!

 

<?php

 

if (!defined("WHMCS")) die("This file cannot be accessed directly");

 

function string_check($vars) {

$domian = $vars[0]['sld'];

if (strpos($domain, 'dm-team') OR strpos($domain, 'dmteam')) {

$adminuser = "AdminNameHere";

 

$command = "addbannedip";

$params["reason"] = "do not like these folks";

$params["days"] = "365";

$params["ip"] = "191.191.191.191";

$results = localAPI($command,$params,$adminuser);

 

$command = "logactivity";

$value["description"] = "custom sld validation called.";

$results = localAPI($command,$value,$adminuser);

}

}

 

add_hook("ShoppingCartValidateDomain",1,"string_check");

 

?>

[ephost]

I've modified the code, so at least the api call is made...

but nothing happens!

 

PLEASE TAKE A LOOK AND TELL ME WHAT I'M DOING WRONG!

 

It would appear that there is a space in the name of the function in add_hook call.

 

Regarding the hook I posted--it doesn't seem to be effective against a real hit from these guys. Apparently they can still do it which I am guessing is because the attack is scripted. Additionally, it was contingent on the order being marked as fraud which you can circumvent anyway.

 

I will check this one out and/or make a change so customer's can't update the address.

[brian!]

I've modified the code, so at least the api call is made...

but nothing happens!

is this a typo when you typed the code into the forum post, or is it in your code?

 

$domian = $vars[0]['sld'];

$domian should be $domain

[ephost]

What good is posting the same details over and over again? This thread is 4 pages long with the same details basically, posted many times.

 

Making sure your WHMCS installation is fully up to date and secured properly is more important than us seeing failed attempts on your system.

 

For me the issue is that they are exercising their will on your system. If you just continue to let this happen at what time do you become liable- what if they find a way and you ignored it? The point is that it is entirely avoidable by WHMCS and shouldn't happen anyway.

 

Unsanitized input should never be allowed in these fields much less stored in the DB, displayed to users online, and included in emails and text message alerts. Come on- it's definitely not PCI and should be blocked using client and server side protection.

[WHMCS Chris]

Hello,

 

As it's been noted, this particular user is attempting to exercise an old vulnerability that has been corrected for some time now. Unfortunately, without deeper seated solutions, mitigation of this comes at a cost.

 

If you'd like to mitigate this without the below proposed, you can lock sepecific client fields such that the user cannot modify them after registration: http://docs.whmcs.com/Other_Tab#Locked_Client_Profile_Fields

 

This would effectively turn this on for all clients of course.

 

The alternative, would use mod_security which most standard mod_security rules already perform blocks against AES_DECRYPT calls, such as AtomicCorp or TrustWaves. Example: https://www.atomicorp.com/products/products-comparison.html

 

Ultimately, if you're running any sort of web application you should have some level of server side protection enabled. Be it grsec kernels, mod_security, etc

 

I'm going to close the thread at this time to allow this to be the last response for any other individuals experiencing the same problem. If you want to reach out and discuss server level protection a bit more please feel free to send me a PM and I'll be happy to assist.

[Dentoo]

Andri Cyber4rt

 

/http://whois.domaintools.com/dm-team.net

 

So, I got so many attempts to hack our WHMCS system I got curious.

Who is this "Andri Cyber4rt" guy thats trying to hack the same installs over and over, and not only ours, from what I read online hes all over the place!

People are cmplaining on all kinds of forums that hes been trying to hack their WHMCS.

We know that with the latests updates and patches the hack he is trying doesnt work, but he sure keeps trying it.

 

I noticed that a certain domain dm-team.net (or .com or .org) was often mentioned and the "Company Name" is always DMASTERPIECE.

Sop I ran a quick whois on dm-team.net

/http://whois.domaintools.com/dm-team.net

The registrats email is yudhy.tv@gmail.com and that is just too much info

Didnt take many seconds to find this guy:

 

Yudhy Mysterio DM

 

/https://www.facebook.com/yudhymysterio

 

From same country as the code he writes has in it, Indonesia/n.

Same Nickname , Yudhy.

Same "DM".

 

It's a little too much to be a coincident ins't it?

 

It says hes gone to SMA Negeri 1 Slawi school so I make a search...

 

/https://www.google.com/search?q=Yudhy+hacker+SMA+Negeri+1

 

I see some article about techno art indonesia that sparkles my interest.

 

/http://techno-art-indonesia.blogspot.se/p/penulis.html

 

"Yudi Arianto" that can't be the guy can it? Let's look closer.

 

The text translated says among other things:

 

"The author graduated and received a scholarship PMDK Shutter Mission in Makassar State University (UNM) Department of Information Engineering and Computer Education (Police Staff) / (Informatic and Computer Engineering) ICP. "

 

Well it doesnt hurt to snooop around a little...

 

/https://www.google.se/search?q=Yudi+Arianto+hacker

 

There are actually a lot of relevant search results. This guy is on a hacker blacklists! Wtf?

 

AKUN REKENING TUJUAN BLACKLIST/HACKER. 4. KLIK OK ... 7 DENI YUDI ARIANTO

 

Hes defenitely someone that has been hacking and got caught in the past.

 

/http://www.scribd.com/doc/239338855/Hacker-Blacklist

/http://otakuang.com/waspada/

 

At this point I don't know what to think...

 

I find this blog: /http://yudi-arianto.blogspot.se/ (It doesnt look like a site that has anything to do with hacking)

And a facebook page: /https://www.facebook.com/yudi.arianto.104

 

At this point I am unsure if Im just paranoid and should start over from scratch when I actually find this.

 

A guide to HACK A WEBSITE by the same guy!!!

 

/http://techno-art-indonesia.blogspot.se/2011/04/cara-hack-website.html

 

I used google translate to translate it and here is the first part:

 

 

Hello All? Apakabar? Sorry Offline Old Already? There are little stories about how to hack a website, but do not be in use for crimes yes

 

:: Preface ::

============ =

After a number of bugs that lie in this virtual universe of

whose name is Unicode (still know now), RPC DCOM, XSS, VP-

ASP, and bugs other e-commerce today is more "trend" in

adlaah SQL Injection hacking techniques. in vol. This 1 gw jelasin

how to charge the thing with UPDATE command

 

 

So now I think it's safe to say that this guy is the number one suspect to be the beloved Andri Cyber4rt.

 

Any thoughts?

[Infopro]

Related, closed thread:

Re: Spam Account Keeps Registering - WHMCS Forums

[zomex]

Very interesting, I've had about 20 order attempts from this person/bot over the last 2 months.

[Dentoo]

Very interesting, I've had about 20 order attempts from this person/bot over the last 2 months.

 

I get attempts every few days.

Considering that it is tried over and over on already patched installs where it recently failed makes me think that it is a script / program (bot if you like) that searches google for whmcs installs and automatically registers and changes the details when it finds one.

[yggdrasil]

Why do you bother? All the information is fake. Its probably not one person but several people using the same hacking bot. Script kiddies.

 

This is a bot, because if you look the apache logs when they access your install, usually using an open proxy or infected system, from the time they register a domain to when they register the account and then update the details to attempt the SQL injection it takes all less than 10 to 15 seconds.

 

Its not possible for a person to fill all that information and do all those steps in seconds. So there you have it, its a bot. The bot is doing all this automatically on all WHMCS installations they find on the Internet, they don't even bother to check which version is running, and so they even try to hack whmcs installs where this hack is patched. They don't even bother to use a valid email account which is what I find ironic. Since WHMCS does not even check the email account, if they did, the bot would not be even allowed to pass the registration process.

 

The bot that does this is very simple and stupid, it could be easily stopped, all the the attacker is doing is filling the captcha manually.

 

This should give you an idea

http://hack-tools.blackploit.com/2013/10/whmcs-0day-auto-exploiter-528.html

 

A simple web firewall or mod security can stop it right on the tracks.

 

The bad thing is that this is not going to stop. As WHMCS gets developed and new features are added, attackers will try to find new SQL injections and errors in the code to get database access.

[Nathum]

Today I noticed that someone tried to exploit WHMCS using a SQL query. I am running version Version: 5.3.10

 

Am I protected against this?

 

 

/http://upload.adfteam.com/files/1419490208.jpg

 

/http://upload.adfteam.com/files/1419490233.jpg

 

/http://upload.adfteam.com/files/1419490260.jpg

 

Thanks

Edited December 25, 2014 by Infopro
Please Attach Images to Your Posts

[shineithosting]

D*mn my whmcs has hacked by this guy .

please help me to protect my whmcs, i just know at first january, some my client has deface.

then i this guy hack and put some php file and get some my password. how this guy put the file ?

thanks

[Infopro]

D*mn my whmcs has hacked by this guy .

please help me to protect my whmcs, i just know at first january, some my client has deface.

then i this guy hack and put some php file and get some my password. how this guy put the file ?

thanks

 

Sounds like your WHMCS installation was not up to date. Reading this thread above should be of some use to you.

 

Similar threads merged here, and closed. Update your WHMCS and keep it updated folks!

[fbarajas]

Hi, I'm getting this mail, of someone registering and then changing their registration data. Are they trying to hack my WHMCS? If so, how can I prevent it? Thanks!

 

First Name: 'Aganteng' to 'Andri'
Last Name: 'Rooterz' to 'Cyber4rt'
Address 1: 'dm' to 'AES_ENCRYPT(1,1), address1= (SELECT MIN(type) FROM tblservers)'
Address 2: 'dm' to 'AES_ENCRYPT(1,1), address2= (SELECT MIN(ipaddress) FROM tblservers)'
City: 'dm' to 'AES_ENCRYPT(1,1), city= (SELECT MIN(username) FROM tblservers)'
State: 'Arizona' to 'AES_ENCRYPT(1,1), state= (SELECT MIN(accesshash) FROM tblservers)'
Postcode: '404404' to '40404'
Default Payment Method: '' to ''
R.F.C.: 'Google' to ''
If you are unhappy with any of the changes, you need to login and revert them - this is the only record of the old details.

This change request was submitted from polo.websitewelcome.com (192.185.81.182)