Jump to content

Huge amount of fake accounts


Message added by WHMCS ChrisD

In an effort to try to combat and prevent these orders from being successful, our team has worked to implement Google's invisible reCAPTCHA to the shopping cart checkout workflow through the use of the hooks system, please click here for more information.

Looking to Mass Delete clients? There is a guide to doing this here

Recommended Posts

Setup -> General Settings -> General

Enable the Template named "six" this has latest updates and reCaptcha2 works


Setup -> General Settings -> Security

Tick on
reCAPTCHA (Google's reCAPTCHA system)

Go to https://www.google.com/recaptcha/admin/create

add your website and you will get the keys.

then go to Advanced Settings

Security Preference -> Most Secure

Fake signup has stopped. Hope this works for others too.
 

Link to comment
Share on other sites

13 hours ago, flywheel said:

Is it working?  I'm having the same issue that just started about a week ago.

No, I have enabled all the security features and nothing works. I have had to hide and retire my products for now. I have also enabled maxmind but this only stops the accounts being setup on WHM and flags them as spam, it doesn't stop the client being created which is a pain to keep having to remove.

Link to comment
Share on other sites

What a nightmare.   https://prnt.sc/j8dcon    

Went and stopped users just being able to register but then actual orders started to appear. I enabled all the security features but nothing worked so had to go into maint mode. As soon as you turn it off, the orders flood in again so I have had to hide/retire the products for now, it's like being under attack!  I then enabled and signed up for maxmind which doesn't seem to stop the clients appearing and flags the order as spam but still not what I had hoped it would do.

The ability to block delete clients would be handy as currently I am having to use phpmyadmin to go in and delete the fake accounts. Hopefully a proper fix comes along soon!

Kenny

Link to comment
Share on other sites

Already many days I am fighting with spams in orders without result.

There are several problems:
1. Blocking IPs does not work - as spammer uses different IPs;
2. Blocking Email addresses does not work - as spammer uses different email addresses,  for example: yahoo.com gmail, hotmail.com, etc.
3. Switch on  "Request users to confirm their email address on signup or change of email address" does not work;
4. Maxmind does not work - because it don not stops spams, it is for fraud detection only;

I think WHMCS need Captcha Form Protection in order page too.

Link to comment
Share on other sites

9 hours ago, kaybee57 said:

With all these fake clients coming in, would be nice to have a 'Delete Selected Clients' option on the Clients list page. I'll add it to the wish list.

https://www.whmcssmarters.com/clients/cart.php?gid=10 i use this i can select multiple users and mass deleted them by hittind delete at the bottom saved me during the spam try it its completely FREE

 

als whmcs uses whmcs google recatcha 2 its in security i use it too but the bots bypassed it 

Link to comment
Share on other sites

2 hours ago, Sunzila said:

Already many days I am fighting with spams in orders without result.

There are several problems:
1. Blocking IPs does not work - as spammer uses different IPs;
2. Blocking Email addresses does not work - as spammer uses different email addresses,  for example: yahoo.com gmail, hotmail.com, etc.
3. Switch on  "Request users to confirm their email address on signup or change of email address" does not work;
4. Maxmind does not work - because it don not stops spams, it is for fraud detection only;

I think WHMCS need Captcha Form Protection in order page too.

Woke up yesterday with over 5000+ accounts created and the same amount of orders... so annoying...
I agree with @Sunzila these guys are creating accounts and then performing the orders and most options can be beaten by changing locations and trying again.

 

 

 

Link to comment
Share on other sites

very annoying here as well, I've got over 5000 accounts and orders now.....

Most options are work arounds and will only stop the issue for a small amount of time, cray that having recaptcha on account creation is now bypass-able.

Anyone got some SQL for account/order cleanups?

Link to comment
Share on other sites

  • WHMCS Staff

Hi,

We have noticed that this has become more frequent as of recent. In response, we have compiled a troubleshooting article explaining what may help in blocking spam orders.

The link for this is: http://help.whmcs.com/m/troubleshooting/l/878335-blocking-spam-orders

Hopefully, this should help mitigate the issue. This guide naturally does not guarantee to block 100% of spam orders and if you're still having problems, I'd recommend consulting a security expert who may be able to advise of more ways of securing your servers.

Rest assured, WHMCS is safe and secure.

I hope this helps.

Best regards,

Peter
Technical Analyst

Link to comment
Share on other sites

As a workaround place this snippet in your $WHMCS_ROOT/include/hooks folder:

<?php
if (!defined("WHMCS"))
    die("This file cannot be accessed directly");

function userdata_field_matches($fieldname,$value,$all_vars) {
        return (array_key_exists($fieldname,$all_vars) && preg_match("/$value/",$all_vars[$fieldname]);
}

function validate_user_data($vars) {

        if (userdata_field_matches("email",     "@qq\.com",     $vars) return "Error: Userdata validation error";
        if (userdata_field_matches("lastname",  "fuli8\.tk",    $vars) return "Error: Userdata validation error";
        if (userdata_field_matches("firstname", "5666Q\.COM",   $vars) return "Error: Userdata validation error";
}

add_hook("ClientDetailsValidation",1,"validate_user_data");
?>

 

Link to comment
Share on other sites

Corrected Version:

<?php
if (!defined("WHMCS"))
    die("This file cannot be accessed directly");

function userdata_field_matches($fieldname,$value,$all_vars) {
        return (array_key_exists($fieldname,$all_vars) && preg_match("/$value/",$all_vars[$fieldname]));
}

function block_fuli8_tk($vars) {

        if (userdata_field_matches("email",     "@qq\.com",     $vars)) return "Error: Userdata validation error";
        if (userdata_field_matches("lastname",  "fuli8\.tk",    $vars)) return "Error: Userdata validation error";
        if (userdata_field_matches("firstname", "5666Q\.COM",   $vars)) return "Error: Userdata validation error";
}

add_hook("ClientDetailsValidation",1,"block_fuli8_tk");
?>

 

Link to comment
Share on other sites

Hello everyone

Regarding this issue about fake users and orders in WHMCS.

From 4 days i have a lot of problems generated by that spammer that i see now affect a lot of colleagues.

I ask for help at WHMCSservices and finally find a way to create a module that WORKS.

I have more than 12H with no spam.  All issues solved.

I recommend to all that have this issue to install it

https://www.whmcsservices.com/stopfakeclients.php

Thanks again to WHMCS services

Link to comment
Share on other sites

On 4/23/2018 at 8:40 AM, kaybee57 said:

Took my whole WHMCS offline for 12 hours
Have about 5 domains banned within my CPanel
Changed CPanel password
Changed database password
Updated my WHMCS to latest version
Set my WHMCS back online, and guess what, 5 minutes later, they're baaack.....! :) Oops, should be :(
Have also now added about 10 domains to my Banned email list - as per the list below

So having done all the above, it 'possibly' appears to me there may be a dodgy file within the file system that isn't part of the update system (i.e. somewhere in my template?? that has been infected??)

Email Domain Usage Count  
.tom.com 0 Delete
126.com 0 Delete
163.com 0 Delete
jifewrji.com 0 Delete
ohh.cn 0 Delete
ohu.com 0 Delete
qq.com 0 Delete
sina.com 0 Delete
yahoo.com.cn

Any further thoughts WHMCS John??

 

I've added these ones from above to see if these help reduce the impact, but I've also have a few other domains added to the list as well, these are:

sina.cn
- com.com
qqcom.com
- sohu.com
 

 

Link to comment
Share on other sites

On 4/24/2018 at 5:55 AM, easyhosting said:

if you looks at then they only run on 4 subnet ranges, so block all these subnets.  

That image shows far more than that. Look at the first octets. Banning those would ban not only the spammers but pretty much millions of IPs and users.
IP bans on Chinese ranges (if they even keep within Chinese IP space) is a losing game of whack-a-mole. ;)

Link to comment
Share on other sites

I had this problem also.  One thing I noticed when viewing the latest visitors in cPanel, searching for register.php, is that all the fake signups were using http 1.0 rather than http 1.1.

I added:

RewriteCond %{THE_REQUEST} ^POST(.*)HTTP/(0\.9|1\.0)$ [NC]
RewriteRule .* - [F,L]

to my htaccess file on the 20th and haven't had one fake signup since.

I had tried all the other things, blocking IP addresses and emails, requiring email validation, captcha was already active, etc with no success.

Link to comment
Share on other sites

I am chiming in mostly as a data point. I have been usings WHMCS for over 10 years and never had any major issues up until now. As of a few days ago I am getting hundreds of fake users per day which is taking an incredible amount of time to delete and try to mitigate.

I have tried all solutions mentioned in this thread (with the exception of the rewrite rule, which I just added now) and typically whenever I block and IP, email, domain, add a custom field, etc. they just change their attack vector a bit and the fake accounts start to come back a few hours later. I hope the rewrite solution (mentioned above) fixes this.. but my hopes are not all that high. They will likely just switch to HTTP 1.1. I would not be surprised if they are following/reading this thread.

I wish WHMCS would allow us to:

1) Mass delete users 
2) Automatically delete all unverified user accounts within X hours
3) Have a better captcha system since it is obvious the attackers are able to bypass both the WHMCS captcha and Google's ReCaptcha

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated