Keep getting hacked.

[river99]

My WHMCS has been hacked several times.

 

Typically I receive an email from the system about a user registration and a fake new order.

Then the user(hacker) hacks it.

 

This is one email from WHMCS when the user changed details (hacked):

Client ID: 30 - Aganteng Rooterz has requested to change his/her details as indicated below:

 

First Name: 'Aganteng' to 'Andri'

Last Name: 'Rooterz' to 'Cyber4rt'

Address 1: 'dm' to 'AES_ENCRYPT(1,1), address1= (SELECT MIN(username) FROM tbladmins)'

Address 2: 'dm' to 'AES_ENCRYPT(1,1), address2= (SELECT MIN(password) FROM tbladmins)'

City: 'dm' to 'AES_ENCRYPT(1,1), city= (SELECT MAX(username) FROM tbladmins)'

State: 'Arizona' to 'AES_ENCRYPT(1,1), state= (SELECT MAX(password) FROM tbladmins)'

Postcode: '404404' to '40404'

Default Payment Method: '' to ''

 

If you are unhappy with any of the changes, you need to login and revert them - this is the only record of the old details.

 

Well, currently my WHMCS is still hacked. The hacker have changed the admin login. This WHMCS is on a reseller account at Eleven2.com, but their support are of little or no help even though I got the license from them.

 

I'd appreciate any advice on how to get the WHMCS back up and running and ways to prevent further hacks from happening.

 

TIA

[BryanB]

My WHMCS has been hacked several times.

 

Typically I receive an email from the system about a user registration and a fake new order.

Then the user(hacker) hacks it.

 

This is one email from WHMCS when the user changed details (hacked):

 

 

Well, currently my WHMCS is still hacked. The hacker have changed the admin login. This WHMCS is on a reseller account at Eleven2.com, but their support are of little or no help even though I got the license from them.

 

I'd appreciate any advice on how to get the WHMCS back up and running and ways to prevent further hacks from happening.

 

TIA

 

Looks like an SQL injection. What version of WHMCS are you running? Have you opened a support ticket with WHMCS?

[BryanB]

In the mean time, I would change all admin usernames and lock all client fields from being edited (there is an option to do that under Setup > General Settings > Other

[WHMCS John]

Hi,

This is an attempt to exploit a vulnerability which is over a year old. Provided you're running v5.2.8 or above then you are safe.

You can read more about this from our blog post at the time: http://blog.whmcs.com/?t=79527

[bear]

This is an attempt to exploit a vulnerability which is over a year old. Provided you're running v5.2.8 or above then you are safe.

Seems he's being actually hacked, though, John. Something wrong there.

Well, currently my WHMCS is still hacked. The hacker have changed the admin login.

[mtalley887]

Just to let you know..

 

This guy hacked me today and somehow was able to retrieve my ENOM account information, logged into ENOM and then Authorized a refill of my account with a $100.00 from my bank account and then made my whmcs site inaccessible. I found files added in the admin folder, include folder and in the root folder. I finally installed the latest version onto my site and thankfully I have a running backup of my data base that is emailed to me everyday.

 

I hope somehow this guy gets stopped.

Mike

[bear]

Being on a shared server makes it quite likely the hack was external to WHMCS, but which version of WHMCS had you been on when this happened?

[mtalley887]

I was on version 5.0.3. And my WHMCS is not on shared site, it's on a vpn. I also picked up this ip address which is not my local IP address. 50.61.165.3 I found this attached to his data information.

Edited November 15, 2014 by mtalley887

[bear]

I was on version 5.0.3. And my WHMCS is not on shared site, it's on a vpn.

Assuming you mean VPS there, but that version explains why it succeeded. You should consider every password, account and server that was in your installation as potentially compromised, not just Enom. Pretty likely the bad guy has it all.

[mtalley887]

Thanks and yes I meant VPS, (I run two business and have been setting up VPN's all week for two clients). I checked all my sites and they all seem to be fine but changed passwords everywhere and the login information on the two Registrars I use. I just wanted to let people know that this guy was able to get key information somehow, or use the API's to access the Registrar I use. I'm sure it was him because I don't believe it was just a coincident that both my WHMCS and Enom account were hacked by two different individuals on the same day.

[jabelone]

Hi,

 

I have just received a spam order through my WHMCS installation. Then I realised they had changed their contact details, lots of times, to what first looked like random strings. I then realised they were SQL queries, so assumed it must of been an SQL injection attack! I panicked and deleted the order and account.

 

I read an older blog post outlining this vulnerability but luckily I am on Version: 5.3.9 of WHMCS so should be protected. What concerns me is that it has happened a long time after that release and they have discovered another security flaw. Is it possible they were successful in using their SQL injection, or am I just over reacting?

 

Here is the details (SQL queries) they changed their contact details to:

Client ID: 10 - asal daftar has requested to change his/her details as indicated below:
Address 1: 'cyberteam' to 'AES_ENCRYPT(1,1), address1= (SELECT MIN(type) FROM tblservers)'
Address 2: 'cyberteam' to 'AES_ENCRYPT(1,1), address2= (SELECT MIN(ipaddress) FROM tblservers)'
City: 'cyberteam' to 'AES_ENCRYPT(1,1), city= (SELECT MIN(username) FROM tblservers)'
State: 'saint' to 'AES_ENCRYPT(1,1), state= (SELECT MIN(accesshash) FROM tblservers)'
Default Payment Method: '' to ''
If you are unhappy with any of the changes, you need to login and revert them - this is the only record of the old details.

This change request was submitted from galaxie.websitewelcome.com (192.185.81.131)

[mtalley887]

Aganteng Rooterz tried to hack my site again today. I received an email that he was trying to change his details but, I had already set it so that client information couldn't be changed. So, I added his new IP address to the ban and banned the email address. I then checked to see if he had changed anything in my files and noticed that the Template_c showed that it had been accessed or recorded the attempts and templates he was trying to drill thru.

 

Since this guy uses GMail as his registration email, would letting Google know help?

 

Mike

[BlueAngelHost]

if you don't mind I can try to help you in this issue, contact me on the following email

 

admin@blueangelhost.com

[WHMCS John]

What concerns me is that it has happened a long time after that release and they have discovered another security flaw. Is it possible they were successful in using their SQL injection, or am I just over reacting?

Hi,

This is not a new security flaw, they are just trying to exploit the old one in the hope of finding someone still running an End-Of-Life version of WHMCS which hasn't been updated for over a year.

 

As you state you were running v5.3.9, then you are fine and the order can be deleted.

[zwicker]

Hi,

This is not a new security flaw, they are just trying to exploit the old one in the hope of finding someone still running an End-Of-Life version of WHMCS which hasn't been updated for over a year.

 

As you state you were running v5.3.9, then you are fine and the order can be deleted.

 

Hi,

 

We just had him sign up too but it doesn't seem like the typical SQL injection. We've had him sign up in the past but were always protected by being up-to-date

 

This time he tried registering the domain "whmcs0day.com" which makes me kind of nervous. Is there any knowledge of a new 0-day vulnerability in the wild? We're running 5.3.10

[brian!]

This time he tried registering the domain "whmcs0day.com" which makes me kind of nervous. Is there any knowledge of a new 0-day vulnerability in the wild? We're running 5.3.10

personally, I wouldn't worry about it - this is just another one of the domains the script tries to register... mentioned in the post below from 2 months ago.

 

http://forum.whmcs.com/showthread.php?93239-Spam-Account-Keeps-Registering&p=393118#post393118

[jabelone]

Hi,

This is not a new security flaw, they are just trying to exploit the old one in the hope of finding someone still running an End-Of-Life version of WHMCS which hasn't been updated for over a year.

 

As you state you were running v5.3.9, then you are fine and the order can be deleted.

 

Thanks for the re-assurance John, I just wanted to make sure.

[Dentoo]

Temp (half)fix that you can do until a proper fix is available:

 

Go to Setup -> General Settings -> Other

 

And there check "Locked Client Profile Fields" -> "Address 2"

 

This will prevent clients from changing the Adress 2 field without contacting you.

I figure the Address 2 field will not be used by most real clients so few will be affected when they need to make a change, while the hacking attempt always enter something in the second address field.

 

Not a permanent fix but it might help for now...

[arjanvr]

In the mean time, I would change all admin usernames and lock all client fields from being edited (there is an option to do that under Setup > General Settings > Other

 

I don't see this option. Was it removed?

[BryanB]

I don't see this option. Was it removed?

 

No but if you are running a really old version it may have been implemented after that. I'm not sure what version it was added in but I believe it has been there for a while at least 1 year.

[mlew2]

I don't see this option. Was it removed?

 

Setup->general settings-> other it is in under the first option

[annya]

Dear Friends

 

Please report all spam email and other Hacking attempt Here. WHMCS is not giving Importance to our post which we have requested to them for give and email verification option for newly registering user's in the next update. If WHMCS have added an Module in the next Update for User verification by email It will help all WHMCS user. But they are not hearing our request so Please post all Spam email account and New Hacking attempt this thread so other can Delete spam all spam user's account Immediately

 

- - - Updated - - -

 

Here is my new order by a spammer

 

Registration - sikatwhm.net

 

First Name: asal

Last Name: daftar

Company Name: asaldaftar

Email Address mbhsemprul@gmail.com

Address 1 cyberteam

Address 2 cyberteam

City cyberteam

State/Region saint

Postcode 1239477

Country US - United States

Phone Number 085300500100

 

Last Login Date: 22/11/2014 15:52

IP Address: 176.223.125.144

Host: syc.mxserver.ro

[annya]

Here is the new SPAMMER /HACKER

 

Name: asal daftar

Company: asaldaftar

Address: cyberteam

cyberteam

City: cyberteam

State: saint

Zip: 1239477

Country: US

Email: mbhsemprul@gmail.com

Tel: +1.085300500100

 

IP: 176.223.125.144

 

Registration - sikatwhm.net

 

- - - Updated - - -

 

Please report all SPAM / HACKING ATTEMPT IN THIS THREAD : - Removed -

Edited November 22, 2014 by Infopro
Threads Merged.

[arjanvr]

i have 5.3.10 and these are the first few options i see on that page..

 

Admin Client Display Format

Client Dropdown

Disable Full Client Dropdown

Default to Client Area

Allow Client Registration

[CCSupport]

Keep going down... Look for 'Locked Client Profile Fields'