ejmerkel Posted December 27, 2017 Share Posted December 27, 2017 I see there was an account called cPanel Exploiter set up in our WHMCS installation today. It looks like they were trying to excecute SQL commands by changing the profile settings like such. Address 1: 'cpanel' to 'AES_ENCRYPT(1,1), address1= (SELECT MIN(username) FROM tbladmins)' Address 2: 'security' to 'AES_ENCRYPT(1,1), address2= (SELECT MIN(password) FROM tbladmins)' City: 'test' to 'AES_ENCRYPT(1,1), city= (SELECT MAX(username) FROM tbladmins)' State: 'hacked' to 'AES_ENCRYPT(1,1), state= (SELECT MAX(password) FROM tbladmins)' My question is will these attempts to get information be successful? How would I know? We are running WHMCS 7.1.2. I assume these fields are sanitized for SQL commands? Eric -1 Link to comment Share on other sites More sharing options...
Tatto de Castro Posted January 26, 2018 Share Posted January 26, 2018 Hi @ejmerkel Take a look on this thread: This is related to old WHMCS <= 5.2. Another interesting links: https://www.abuseipdb.com/check/205.234.200.234 https://www.abuseipdb.com/check/192.185.83.219 https://www.kitploit.com/2013/10/whmcs-0day-auto-exploiter-528.html Link to comment Share on other sites More sharing options...
twhiting9275 Posted January 27, 2018 Share Posted January 27, 2018 Yeah, safe to ignore if you're using a legitimate, up to date, version of WHMCS. Link to comment Share on other sites More sharing options...
Recommended Posts