Anti Hack Hook

[EZi]

We get the usual hacks mostly through attempts to change the address details in the client profile.

Would it be hard to code a hook the looks at a string of text in the address field (for example "FROM tbladmins)")and if this string is present, to delete the account.

 

Is there such a thing already out there because it is just irritating having to delete these accounts regularly.

[durangod]

can you give an example of the string please, and yes its very possible

[EZi]

Well, we get notified when someone changes their contact details.

Normally, this looks like this:

 

Address 1: 'cyberteam' to 'AES_ENCRYPT(1,1), address1= (SELECT MIN(username) FROM tbladmins)'

Address 2: 'cyberteam' to 'AES_ENCRYPT(1,1), address2= (SELECT MIN(password) FROM tbladmins)'

City: 'cyberteam' to 'AES_ENCRYPT(1,1), city= (SELECT MAX(username) FROM tbladmins)'

State: 'saint' to 'AES_ENCRYPT(1,1), state= (SELECT MAX(password) FROM tbladmins)'

Default Payment Method: '' to ''

Affiliate registration: 'Google' to ''

If you are unhappy with any of the changes, you need to login and revert them - this is the only record of the old details.

 

So any string or stings that occurs regularly in the hack which is unlikely to represent an address.

I.e., from my original post something like; FROM tbladmins)

 

So if the string is recognised when saving the changes in the address the user will get a message to #uc& off and concurrently the account is deleted.

[satsuke]

Recently, we are getting attack like this again. huh

[wsa]

am update the module i do of ticket filter that peoples was put AES_ENCRYPT etc..

[EZi]

am update the module i do of ticket filter that peoples was put AES_ENCRYPT etc..

 

Yes, nice...

Could you elaborate or tell us what this means?

[wsa]

this module http://www.hostthebest.com/ticketfilter.php am working on some new stuff am planning to add

[further]

Had a similar thing happen today (username was tbladmins) ... they tried to purchase a domain just to create an account on the system but of course didn't pay for the domain name they ordered. I deleted the account pretty quickly but I was currently back a few versions running 5.3.6 which I just updated to 5.3.10. Is there anything I need to be concerned about or looking for?

[EZi]

If you are up to date with your WHMCS version then these schoolboy hacker wannabees are nothing more than annoying...

Hence, an automated account deletion on specific inputs would be handy...

[iHelpersLLC]

If you use Mod_Security you can block these attempts. If you run CSF in conjunction with Mod_Security you can configure it to block the IP at the firewall after xx attempts.

[durangod]

Hence, an automated account deletion on specific inputs would be handy...

 

https://www.whmcs.com/appstore/3090/Client-PermBlock-Addon.html

[ivillages]

If you use Mod_Security you can block these attempts. If you run CSF in conjunction with Mod_Security you can configure it to block the IP at the firewall after xx attempts.

 

Hi, please further your info on this. I get an attempt to register domains from "cyberteam" a few times per week, always from a different IP. How can CSF and Mod_Security thwart these new registrations?