Spam/Chinese characters on welcome email

[yaykeny]

Hi,

I had major issues with spam signups earlier in the year which I have halted. Tonight I manually added a new client and just checked the welcome email was sent out - this is what was sent 

https://prnt.sc/kzigqi

A bit embarrassing !   Apologies if there is a thread RE this but I could not find it. Does anyone know how to solve the problem?

Thanks

[bear]

You might want to remove or edit that image, since it contains login information for that client. Bad form posting that to the public. 😉

[yaykeny]

Thst is not the name or password, that is a fake name and login generated just for the email template thst was sent out. Read through my post again. 

 

[bear]

4 minutes ago, yaykeny said:

Thst is not the name or password, that is a fake name and login generated just for the email template thst was sent out. Read through my post again. 

 

I had. You said "Tonight I manually added a new client". Not a test client/account, just a "new client". I'd assumed it was a real one. 😉

[yaykeny]

It was a real client I added. The client details are correct when I list them in the client section (let's say these are something like Mr Bill Smith). The email that was sent out to my client had the name and login detail fields on the new client email template  changed to those of the screen shot I attached. Those characters and the domain used for the email address are commonly used by spam signups to whmcs

 

[brian!]

12 hours ago, yaykeny said:

The email that was sent out to my client had the name and login detail fields on the new client email template  changed to those of the screen shot I attached.

are you saying that the email template has been modified to add that Chinese email address to it ? if so, that might imply the template has been modified by SQL - which would be a cause for worry.

if that's occurred, then it would be a good idea to open a ticket with Support and let them check everything out - because if the email templates have been compromised, what other changes have been made ??

[bear]

If that's the sent email, why is it open in the editor? If I view a sent email, it opens a separate window with no formatting controls (why would it have those?).
By any chance did you copy/paste the client information in that? The "qq" domain implies a Chinese user, so maybe it's just using what you put in.

[yaykeny]

On 9/28/2018 at 11:57 AM, brian! said:

are you saying that the email template has been modified to add that Chinese email address to it ? if so, that might imply the template has been modified by SQL - which would be a cause for worry.

if that's occurred, then it would be a good idea to open a ticket with Support and let them check everything out - because if the email templates have been compromised, what other changes have been made ??

Yea the email template that was mailed out to the client had those characters and fake email address injected. I have had a reply from support, they say this :

Thank you for contacting WHMCS support! I've been able to reproduce this on your installation but I see nothing obvious in the admin area that would explain why this is occurring. It is likely that this is not an error from WHMCS itself, but rather a customisation that is installed. The first thing to try is temporarily removing any customisations that may be interfering with the normal operation of WHMCS such as addons and action hooks

I'll go and see what I can find but I haven't added anything lately - all very odd!

[brian!]

11 minutes ago, yaykeny said:

Yea the email template that was mailed out to the client had those characters and fake email address injected. I have had a reply from support, they say this :

which version of WHMCS were you using when you were receiving all the spam?

19 minutes ago, yaykeny said:

I'll go and see what I can find but I haven't added anything lately - all very odd!

off-hand, I can't see what customisations would rewrite an email template - i'd be surprised if this is the only change made by injection... I assume that you've at least checked the other email templates for changes?

you might be able to search the tblemails table (the mail log) to see when the change was made, e.g the first occurrence of this tweaked email being sent.

[yaykeny]

Yea i have checked through it and that Welcome email doesn't appear to show up as being sent or saved, All the other usual reminder and paid emails are going out fine but that one isn't. 

[brian!]

3 minutes ago, yaykeny said:

Yea i have checked through it and that Welcome email doesn't appear to show up as being sent or saved, All the other usual reminder and paid emails are going out fine but that one isn't. 

ironically, maybe there are invalid characters in there that prevents that email template being sent... 🙂

[yaykeny]

Haha,  good shout! Seems possible.   Am just going through the log files to see if I can find out whats happening.

[yaykeny]

Damn !

 

I have performed a multitude of tests on your WHMCS installation and I can not find any reason for this to be occurring. To be sure that this is not occurring due to an infected WHMCS file, our recommendation would be to delete all files on your WHMCS hosting account except for the WHMCS configuration.php file (including the files in other directories as well) in case the hackers have left any malicious files behind to be able to return later. This will allow you to begin with a "clean slate" by uploading a fresh set of WHMCS files, while using your existing database.

[brian!]

14 hours ago, yaykeny said:

To be sure that this is not occurring due to an infected WHMCS file, our recommendation would be to delete all files on your WHMCS hosting account except for the WHMCS configuration.php file (including the files in other directories as well) in case the hackers have left any malicious files behind to be able to return later. This will allow you to begin with a "clean slate" by uploading a fresh set of WHMCS files, while using your existing database.

I think that is a sensible suggestion - i'd suggest getting a clean version of the current installed release from downloads.whmcs.com, and then getting the relevant versions of any addons installed - apart from configuration.php, i'd mistrust any currently installed file... though after re-installation is complete, i'd still be tempted to change database usernames and passwords just in case they were compromised too.