Site Possibly Compromised

[ramystyle]

Hi,

 

We upgraded to 6.0.1 about a week ago (We had the latest v5 installed before). Since yesterday, we noticed that many cPanel account are getting their password changed without their owner's approval. So we started investigating (Thinking it was a hack from Wordpress at first..).

Then today, when I logged in to WHMCS and noticed that the same IP (198.7.58.97) has accessed several client's accounts. So I think that somehow a hacker had access to these account and started changing their cPanel account from the client area of whmcs? Is this possible ?

 

I also noticed that the latest client to register is "Aganteng Rooterz DMASTERPIECE" who changed his info by putting some codes.. I googled this guy and found that it is an old exploit that was corrected in later versions (And since we had the latest, so I doubt this was it).

 

1- How could a hacker get access to the client's area ?

2- What do we need to do in this case besides changing the passwords?

 

Thank you.

[yggdrasil]

Yes, that one is an old exploit. Maybe its working again in WHMCS 6?

 

I would open a support ticket right away just to confirm this.

[ramystyle]

And now I just realized they changed our Enom Password !!

[easyhosting]

had you followed these http://docs.whmcs.com/Further_Security_Steps

 

also report the IP accesses to http://whois.domaintools.com/198.7.58.97

 

also block these in your admin area setup>other>ban IPS and also on the server

 

198.7.56.0-198.7.63.255

198.7.56.0/21

 

also ban and block that user and close his account

[innovot]

also consider installing http://suricata-ids.org/ and http://www.emergingthreats.net/open-source/etopen-ruleset

[netwood]

You got to be kidding me!!!

Has this old exploit active again???

We get signups from these bots almost daily.

Lucky we're still on 5.3.14.

[easyhosting]

You got to be kidding me!!!

Has this old exploit active again???

We get signups from these bots almost daily.

Lucky we're still on 5.3.14.

No OP most likely not have installed patches or have followed the extra security steps.

[ramystyle]

Hi,

 

We are still investigating. We don't think it's because of the old exploit. We think the hacker was able to get a copy of our Database (hence stealing all users login/pass).. Like easyhosting said, we did not follow the extra security steps.. This may have helped us !! I will keep you posted of any news we get.

We contacted enom and asked to freeze our account as the hacker took control of our enom account as well (Probably stole our password from whmcs as well). They were very helpful and now confirming our identity (We had to send bunch of docs..)

 

I really don't wish this nightmare on anyone !! Follow the extra security steps !

[PropelMWS]

Hello ramystyle,

 

I recommend the following steps. (In this exact order)

 

(1) Change your server SSH password

(2) If you use FTP, do not, and change that password

(3) Change your email address password

(4) Enable 2 Factor Authentication in WHMCS for all admin logins.

(5) Change all WHMCS admin passwords

(6) Reset all your clients passwords in WHMCS

(7) Not sure how many admins you have but see if any new ones are there.

- 8 Continue your process of changing enom and other passwords

 

Regardless of Hack or not,

(1) Yes follow the extra security steps, especially changing your /admin/ folder

(2) If you have your database backup being sent daily to your email address then I suggest you do not.

(3) Install the WHMCS Firewall module (whmcsFirewall.com)

 

Let me know how that goes for you and if you need any additional help getting your WHMCS back under your control.

 

Best,

Trevor~