Register existing domain

[rota919]

Had another fraudulent order today by the usual suspect "go Team". Sure many of yous recognise the name.

 

They registered a domain testing.com

Now testing.com is already registered and thus they shouldn't have been able to register the domain.

 

Question is how did they managed to do it?

I already logged a support ticket but would like to hear what the community has to say about this.

Did I miss something somewhere or are the hackers accessing some WHMCS API directly?

[WHMCS Nate]

Rota919,

 

I am sorry to hear you are having problems here. I am not sure however that the bug forum is the best place to handle an inquiry like this. This specific forum area is for problems which can be described and reproduced. That way our developers can get it resolved. This is more an question hoping to figure out what the reproduction steps might be. As I see it there are two possible routes to go for getting resolution here:

 

1) I can move this to the Technical Issues and Questions area. If there is a pattern of behavior going on here, its something other users might be able to offer input on. All of the WHMCS installs I maintain on our on internal network and thus I have not had any experiance with this.

 

2) Our support team can investigate your specific installation further. They may be able to track the IP address used to make the order in your server logs to see exactly what was done. Research like this is dependent on access to your specific installation and we have special things in our support desk that encrypt all login details and then delete them as soon as the ticket is resolved. We don't have similar protections in place in the forum and I am not willing to risk your security by getting login details via the forum.

 

There are times when you want to mark a domain as registered to a client when its already actually been registered at a domain registrar. For example in some migrations from one billing system to another or when handling domains where the automation tools are not linked to the domain registration, you may have manually registered the domain for the customer but want renewal notices, invoicing, and other emails to come through WHMCS. So it is possible to change the status of a domain to registered in the admin area without going through a domain registrar.

 

Since you already have a support ticket open I am going to move this thread to the Technical Issues discussion so you have a better chance of getting feedback from our forum community.

 

Have a great day,

 

Nate C

[rota919]

I hear what you are saying Nate but lets be clear.

 

If a visitors / robot / script / entity comes along and enters google.com into the domain search field WHMCS returns that the domain is already registered.

If this rouque "entity" then manages to order google.com the software is generating an unexpected result. That in my books is a bug and thus the reason why I posted it under "bugs"

 

Just noticed that none of the fraud domain registrations related to this issue appears in the WHMCS WHOIS logs.

Also that an account with a status of "Inactive" can request a "Client Profile Modified - Default Payment Method: '' to ''"

[rota919]

Ok I was wrong about the "Inactive" status and realised it soon after posting the above.

 

Anyone else care to take a hard look at the fraud domain orders and whois logs to see if we can figure out how it's done?

[vincent_g]

I posted a new topic on this same issue as I didn't see your post.

 

This same thing happened to me.

 

I think this clue of %5B0%5D maybe the answer.

How did &domains= become &domains%5B0%5D= ?

 

Do you see the same string in your SSL logs?

 

That is what causes the problem as I tested it and it works.

 

I suggest the programming team check this for proper filtering of the domain GET variable

[rota919]

No I do not have that.

My logs all show the standard/normal expected entries.

 

Looks like they or something on your page are trying to access an array key in your case. (&domains[0]=)