SRD Posted January 8, 2016 Share Posted January 8, 2016 I have installed WHMCS on my domain, but I haven't advertised it at all. To my surprise, I received an order today: Order Information Order ID: 1 Order Number: 6191807400 Date/Time: 07/01/2016 22:20 Invoice Number: 1 Payment Method: PayPal Customer Information Customer ID: 1 Name: XHEADER XVALUE Email: [email]headervl@gmail.com[/email] Company: XHEADER-XVALUE Address 1: dm Address 2: dm City: dm State: Arizona Postcode: 404404 Country: US Phone Number: 086969696969 Order Items Domain Registration: Register Domain: whmcs0day.com First Payment Amount: $19.95 AUD Recurring Amount: $19.95 AUD Registration Period: 1 Year/s Total Due Today: $19.95 AUD ISP Information IP: xxx.xxx.xxx.xxx (I hid this for the forum post) Host: xxx.websitewelcome.com I didn't receive a payment in Paypal. If I login to my WHMCS dashboard, I have 1 pending order: The "Client" field says: XHEADER XVALUE AES_ENCRYPT(1,1), address1= (SELECT MIN(username) FROM tbladmins), AES_ENCRYPT(1,1), address2= (SELECT MIN(password) FROM tbladmins) AES_ENCRYPT(1,1), city= (SELECT MAX(username) FROM tbladmins), AES_ENCRYPT(1,1), state= (SELECT MAX(password) FROM tbladmins), 40404 United States So, it appears this is a hacking attempt. They may of been testing for a WHMCS 0 day vulnerability (after googling "whmcs0day.com". Perhaps they found my WHMCS URL on a technical support thread somewhere.... Anyhow, how do I determine if the hack attempt worked? I can't see any way to view logs in the WHMCS navigation. I have changed my WHMCS dashboard password. I have banned the IP above in WHMCS dashboard. Do I need to do anything else? I am using WHMCS v6.2.0 0 Quote Link to comment Share on other sites More sharing options...
sentq Posted January 8, 2016 Share Posted January 8, 2016 it's normal, we didn't hear about WHMCS hacking for 12+ months I hope. since WHMCS v6 the way WHMCS communicate with Database is much safer, you shouldn't worry about those kids, unless your WHMCS installed in shared environment this will put you on risk! 0 Quote Link to comment Share on other sites More sharing options...
brian! Posted January 8, 2016 Share Posted January 8, 2016 Anyhow, how do I determine if the hack attempt worked? I can't see any way to view logs in the WHMCS navigation. I think the general advice is that as long as you're using a recent version of WHMCS, you should be safe from these sort of attempts. with regards to the logs... utilities -> logs 0 Quote Link to comment Share on other sites More sharing options...
SRD Posted January 8, 2016 Author Share Posted January 8, 2016 Great. Thanks Brian. Logs confirm no one but me has logged in. I am on shared hosting. My host has been good for me and my clients. What's the risk of running WHMCS on a shared server? Thanks. 0 Quote Link to comment Share on other sites More sharing options...
zomex Posted January 8, 2016 Share Posted January 8, 2016 This was quite a old exploit, the name of the "client" is also common. This person (likely a automated bot) has created many orders on my systems. As others have mentioned as long as you're running the latest version of WHMCS you should be fine. Just block him using the IP ban. It's good to see that there hasn't been any security concerns with WHMCS recently. 0 Quote Link to comment Share on other sites More sharing options...
WHMCS Support Manager WHMCS John Posted January 11, 2016 WHMCS Support Manager Share Posted January 11, 2016 Hi, Provided you were running WHMCS v5.2.8 or above at the time these changes were made you are perfectly safe and the client can just be deleted. You can read more about this in our blog post from the time: http://blog.whmcs.com/?t=79527 0 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.