Jump to content
tap0le

WHMCS Global Services - hacked and doing nothing about it

Recommended Posts

WHMCS Administration: Please remove all WHMCS Global Services' modules from your marketplace.

About a week ago, WGS sent out an e-mail telling it's clients to run a php script to patch an issue with their license server. It ended up not being from WGS. It was a hacker, who had gained access to their system.

WGS' client database has been leaked, along with their creditcard hash, and instructions on how to hack ANY host which uses "ClientX" theme. It includes a list of the hosts which use this theme. License servers have been down as well for WGS, so if you are paying for their modules, you can't use them anyways.

Here are some pastes which show the hackers' activity,  WGS response, and a timeline for this entire event.

<removed from community by moderation team>

Please, any hosting companies that use their services, delete the  modules from your system. You are at risk.

Share this post


Link to post
Share on other sites

Really, you're going to remove from my comments and give no notification or acknowledgement of this? I should've figured you don't care about your users either WHMCS.

Share this post


Link to post
Share on other sites

The first link i gave didn't actually disclose any sensitive information, and honestly the community has a right to know. Anyone who wants to know more, just conact me. I'll share what WHMCS is censoring.

Share this post


Link to post
Share on other sites

It gave database info, encryption hash and more. I'd call that sensitive. Offering to provide links, publicly or privately shows a disregard for causing further harm.
The fact they've allowed the thread to remain (with links removed) should be evidence enough they agree it's important enough to leave publicly visible. Removing the links (especially the second one) shows they would like to try and reduce the amount of damage this causes to innocent third parties and the company that created the flawed products. 

Information is good, punishing the people behind the problem is not. 

  • Like 1

Share this post


Link to post
Share on other sites

My mistake, I didn't realize the first link contained that info. I went back and checked and see that it did include WGS' config file. I agree, their clients should not be put at a deficit due to their poor security. I am one of their clients. I understand removing the link, but the standard courtesy is to notify that you've modded someone's post.

I do feel that all their modules should be suspended from being sold in the marketplace, as they are still vulnerable.

For the record, I don't support how the hackers handled this. They should never have exposed private information or dumped databases. They should've given the information to WGS, waited a period of time giving them a chance to rectify, and released the information on the vulnerabilities to the public and nothing more.

Share this post


Link to post
Share on other sites

There was already a post on the Hacked day and it was closed totally instead removing the Link.

I was wondering that this post was just modified and not closed .

There are still a lot of listed domains using WGS addons, I am not sure if it is not clear that anyone can board their site.

Just my 5ct

Share this post


Link to post
Share on other sites

Well few days back we opened a same thread but whmcs closed it intentionally. We pay monthly for whmcs and whmcs doesnt want us to discuss anything about the issue with third party addons that it may cause it to the users. Wondering where is cpanel who will come in and give us their thought about taking down unsecured addons or charging some amount to addons developer for security examination of code. Anything listed on whmcs marketplace is like authorized by whmcs team but why they dont even if we get hacked.

I remembered the day when a hacker from localhost.re released whmcs exploits for sql injection and it all users were effected. Now is see whmcs is listed on https://www.hackerone.com/.

Modules developers can do the same by registering on https://www.hackerone.com but they doesnt care. What they care is all about maximum earning. Security word doesn't exist in their dictionary.

Second, till now WGS havent sent any email about nature of hack because still they dont understand how it was done and they provide managed linux administration. Also according to their activity they just changed their server and sent a new patch to users of clientx themes after the hackers sent an email containing the explained exploit.

Now hackers got all their modules and they will start to render each code and I am sure their are many security loopholes and next time they wont send an email to module users. They will directly hack the site and do whatever they want ( ask money, delete data, access server, delete server, etc) because they already warned module users not to use it any more.

Between we stopped using one of their module we had and looking for some trusted alternative.

 

Share this post


Link to post
Share on other sites

Just my two cents (I'm not involved, and I have no modules from WHMCS Global services): the only good hacker is a dead hacker.

In previous posts I've read crazy and crazy phrases.

There's a security issue, and want to discuss about it? Create a close group (wherever you want, it's your choice) and discuss about it privately: discussing about it publicly is madness.
When the security issue will be closed, then will be the time of public posts and comments... 

 

Share this post


Link to post
Share on other sites
19 minutes ago, bullten said:

Anything listed on whmcs marketplace is like authorized by whmcs team but why they dont even if we get hacked.

no it isn't - the listing may be authorised (that can't be denied! lol), but certainly not the addon itself - there are no checks on the coding by WHMCS, and they are definitely not vouching for it.

https://marketplace.whmcs.com/help/marketplace#question28

Quote

How are add-ons reviewed?

We review and approve all new listings in the WHMCS Marketplace to ensure that add-on information is as complete as possible. However, we do not monitor, review or provide any assurances about the quality of code contained within any add-ons or extensions. If you find dangerous or malicious code posted here, please report it to us.

I would be astonished if WHMCS ever got to the stage of charging for listings in Marketplace, and/or validating code before listing - they simply won't have the staff levels to do the latter, nor would I expect them to have even the remotest inclination to do it.

Quote

Can I trust third-party add-ons?

The WHMCS Marketplace is designed to give you visibility to see if an add-on is reliable. All listings provide the following resources to help you make informed decisions about the add-ons you install and use. Reviews and ratings from other users. See if compatibility is kept up-to-date with the latest version. Changelog tab allows you to see if the developer is active and regularly providing updates. Review screen shots and other information in the listing description.

 

  • Like 1

Share this post


Link to post
Share on other sites
Posted (edited)
41 minutes ago, bullten said:

We pay monthly for whmcs and whmcs doesnt want us to discuss anything about the issue with third party addons that it may cause it to the users. Wondering where is cpanel who will come in and give us their thought about taking down unsecured addons or charging some amount to addons developer for security examination of code. Anything listed on whmcs marketplace is like authorized by whmcs team but why they dont even if we get hacked.

It has been already said tens of times in last few days.

WHMCS is NOT responsible for third-party modules and isn't obligated to do anything. WHMCS team has their own software to maintain and secure. They allow us to discuss about this problem here only for common courtesy. You can't pretend them to check, validate, verify, deobfuscate and even fix softwares developed by thousand of people from all countries of the world that have different languages and skills. It would require an enormous amount of money, people and time. It makes no sense.

TL;DR

If my Ferrari explodes because the battery of my Samsung took on fire, who is responsible? Ferrari?

Edited by Kian
  • Like 1

Share this post


Link to post
Share on other sites
1 minute ago, Kian said:

It has been already said tens of times in last few days.

WHMCS is NOT responsible for third-party modules and isn't obligated to do anything. WHMCS team has their own software to maintain and secure. They allow us to discuss about this problem here only for common courtesy. You can't pretend them to check, validate, verify, deobfuscate and even fix softwares developed by thousand of people from all countries of the world that have different languages and skills. It would require an enormous amount of money, people and time. It makes no sense.

TL;DR

If my Ferrari explodes because the battery of my Samsung took on fire, who is responsible? Ferrari?

Well the example is not the one we expected to be. Good luck with your Ferrari. lol

ok the point is we know one thing we provide linux administration of service. We cant focus on security of whmcs or its addons or start coding our own. Someone have to come in and take its responsibility. We pay and get the service. We are not using it for free

Share this post


Link to post
Share on other sites
3 minutes ago, bullten said:

ok the point is we know one thing we provide linux administration of service. We cant focus on security of whmcs or its addons or start coding our own. 

Maybe you've choose the wrong job. 😉   

 

Share this post


Link to post
Share on other sites
8 minutes ago, Kian said:

It has been already said tens of times in last few days.

WHMCS is NOT responsible for third-party modules and isn't obligated to do anything. WHMCS team has their own software to maintain and secure. They allow us to discuss about this problem here only for common courtesy. You can't pretend them to check, validate, verify, deobfuscate and even fix softwares developed by thousand of people from all countries of the world that have different languages and skills. It would require an enormous amount of money, people and time. It makes no sense.

TL;DR

If my Ferrari explodes because the battery of my Samsung took on fire, who is responsible? Ferrari?

If Ferrari knows of the issue and for some reason is allowing Samsung to sell phones out of their giftshop, I'd I'd say yeah they are partially responsible.

  • Thanks 1

Share this post


Link to post
Share on other sites
Posted (edited)
1 hour ago, Remitur said:

Just my two cents (I'm not involved, and I have no modules from WHMCS Global services): the only good hacker is a dead hacker.

In previous posts I've read crazy and crazy phrases.

There's a security issue, and want to discuss about it? Create a close group (wherever you want, it's your choice) and discuss about it privately: discussing about it publicly is madness.
When the security issue will be closed, then will be the time of public posts and comments... 

 

I completely disagree. Once it's fixed it's rather too late. How will potential victims know NOT to use said software?

Also, the hackers' methods were awful, but it's much better to know then not know. Hackers are necessary. I've paid hackers to hack our site. But security researchers follow ethical boundaries, which these hackers did not.

Edited by tap0le

Share this post


Link to post
Share on other sites
9 minutes ago, tap0le said:

If Ferrari knows of the issue and for some reason is allowing Samsung to sell phones out of their giftshop, I'd I'd say yeah they are partially responsible.

Hardware stores sells ropes. People commit suicide by hanging themselves with ropes. Hardware stores are murderers.

I'm exaggerating things on purpose to make a point. How can WHMCS be partially responsible? They're responsible or not. It's black or white. It can't be gray. Their only role in the story is that they presented you WGS that happened to be hacked.

This whole story reminds me of Apple & Android with their stores full of millions of Apps. Not even Google and Apple can verify them but we install them not even thinking about security. When something bad happens people start accusing Google & Apple for not making the impossible (checking every single line of code of every App ever released). What's next? Counting grains of sand?

1 minute ago, tap0le said:

Hackers are necessary.

I don't want to start an argument about the right use of terms but this guy is not an hacker, he's a cracker. No ethics involved here but the usual disgusting side of internet.

Share this post


Link to post
Share on other sites
49 minutes ago, bullten said:

Someone have to come in and take its responsibility.

the responsibility lies with you - not someone else... ultimately, the market will decide.

44 minutes ago, tap0le said:

If Ferrari knows of the issue and for some reason is allowing Samsung to sell phones out of their giftshop, I'd I'd say yeah they are partially responsible.

but WHMCS doesn't sell you any third-party addons via Marketplace - only their own.... the rest are just links to developer's sites... you could get to most of them via Google if you know what the addon is called.

if WHMCS had the responsibility for addons offered through Marketplace, I don't for one minute think they would keep it open - they created Marketplace (as an updated version of the old App Store) as a convenient one-stop place for addons, and I daresay to have some control over their selling - and i'm talking about control in the sense that if they hadn't created Marketplace, someone else would have created it.

23 minutes ago, tap0le said:

I completely disagree. Once it's fixed it's rather too late.

but that's exactly how WHMCS fix their own security flaws when they find out about them - they get resolved via a security update and then WHMCS provide a very brief summary in the changelog.... for very obvious reasons, they wouldn't allow a public discussion here before a fix was in place.

Share this post


Link to post
Share on other sites
3 minutes ago, brian! said:

the responsibility lies with you - not someone else... ultimately, the market will decide.

but WHMCS doesn't sell you any third-party addons via Marketplace - only their own.... the rest are just links to developer's sites... you could get to most of them via Google if you know what the addon is called.

if WHMCS had the responsibility for addons offered through Marketplace, I don't for one minute think they would keep it open - they created Marketplace (as an updated version of the old App Store) as a convenient one-stop place for addons, and I daresay to have some control over their selling - and i'm talking about control in the sense that if they hadn't created Marketplace, someone else would have created it.

but that's exactly how WHMCS fix their own security flaws when they find out about them - they get resolved via a security update and then WHMCS provide a very brief summary in the changelog.... for very obvious reasons, they wouldn't allow a public discussion here before a fix was in place.

You are all missing my point. I'm not saying they are responsible for the addon. I'm saying they have a responsibility to the community to remove content once it has been brought to their attention to cause mass harm. I'm not saying they legally have this responsibility, but ethically.

As for disclosure: The difference with WHMCS is they actually fix their security holes. When it actually comes to their software they are on top of it. Like i said in my first posts, the hacker should make aware the party in which they hacked, give them time to fix it, then release the info on the vulnerabilities at a specified time whether or not it's fixed.

This is how the industry works. It's standard practice.

 

Share this post


Link to post
Share on other sites

 

12 minutes ago, tap0le said:

As for disclosure: The difference with WHMCS is they actually fix their security holes. When it actually comes to their software they are on top of it. Like i said in my first posts, the hacker should make aware the party in which they hacked, give them time to fix it, then release the info on the vulnerabilities at a specified time whether or not it's fixed.

This is how the industry works. It's standard practice.

 

Edit: I realize I said something that conflicts with this, saying once it's fixed it's too late. I didn't mean that. I was getting frustrated and that just came out.

Share this post


Link to post
Share on other sites
8 minutes ago, tap0le said:

I'm saying they have a responsibility to the community to remove content once it has been brought to their attention to cause mass harm.

that assumes that posting here counts as 'bringing it to their attention'... I suspect suspicious modules would have to be reported - otherwise they'd just be reacting to hearsay.

14 minutes ago, tap0le said:

When it actually comes to their software they are on top of it.

that's the best laugh i've had in a while.

Share this post


Link to post
Share on other sites
7 minutes ago, brian! said:

that assumes that posting here counts as 'bringing it to their attention'... I suspect suspicious modules would have to be reported - otherwise they'd just be reacting to hearsay.

that's the best laugh i've had in a while.

Well I guess I'll look for instructions on reporting them.

Lol i didn't mean they are on top of their software as a whole, just the security aspects of it. Usually.

Share this post


Link to post
Share on other sites
1 minute ago, tap0le said:

Well I guess I'll look for instructions on reporting them.

I just think it's safer to assume that posting here does not equate to telling WHMCS.... chances are they already know about the WGS situation by now, but I don't know if they know (if you see what I mean!) 

5 minutes ago, tap0le said:

Lol i didn't mean they are on top of their software as a whole, just the security aspects of it. Usually.

by definition, we wouldn't know whether they are or not - we'd only know about flaws if either they, or someone else, told us about them.

Share this post


Link to post
Share on other sites
On 10/1/2018 at 7:57 AM, wp4all said:

There was already a post on the Hacked day and it was closed totally instead removing the Link.

It wasn't closed, it was removed from public view. I'd have to assume the knee jerk reaction was to get the damaging details off the public community quickly, without reading for content. Maybe. Each community moderates in their own way. 🙈

Share this post


Link to post
Share on other sites

Hi all,

We are aware of the recent compromise of the 3rd party development company "WHMCS Global Services" and are monitoring the situation to determine what actions are appropriate for the modules and addons provided by them.

At its core, the WHMCS Marketplace is a community driven service with reviews and ratings allowing users to share their experiences, both good and bad with the modules available within it. While we review and approve all new listings in the WHMCS Marketplace to ensure that add-on information is as accurate and complete as possible, we state in our FAQs that we do not monitor, review or provide any assurances about the quality of code contained within any add-ons or extensions and that installation and use of modules obtained via the Marketplace is done so at the users own risk.

  • Like 1

Share this post


Link to post
Share on other sites
20 hours ago, bear said:

It wasn't closed, it was removed from public view. I'd have to assume the knee jerk reaction was to get the damaging details off the public community quickly, without reading for content. Maybe. Each community moderates in their own way🙈

Rarely never read such a contradiction. This is a community for the WHMCS community WGS offers 3th party modules for just this software. What could be closer to the customer than bringing the information here?

Nothing was presented which WGS had already reproduced in their Blog or was already readable in the net.

In generally I hate censorship and accept it only when it makes sense.

In this post the Links where deleted and on the Post before it was made inaccessible to the public what a a contradiction.

Just to think about it, the information was still listed here in the community especially before WGS had informed its own customers. Alone that already says how important the community is here and it is also used.

@bear in other community Post it was possible to delete just the link and not the whole Post ?

http://www.webhostingtalk.com/showthread.php?t=1731675

But you can see it has nothing changed, whether it's cpanel, WGS or WHMCS itself.

cover of silence

On 10/1/2018 at 4:36 PM, Kian said:

It has been already said tens of times in last few days.

WHMCS is NOT responsible for third-party modules and isn't obligated to do anything.

WHMCS has a damn duty to inform its customers about possible damage.

I Agree totally that no one can  desire that WHMCS has to proof every single Theme, Module or Addon but you have the duty to inform your customers about possible damages even more if you know about them.

On 10/1/2018 at 4:36 PM, Kian said:

and isn't obligated to do anything.


It can not be to sit down and say hey it's not WHMCS I do not care.

Then WHMCS should not even appear to have something to do with it, if they wants to distance oneself in hindsight.

image.thumb.png.56c8f581df8bbfde0d47a72d53f8c381.png

 

 

Call it collection of unaudited addons suitable for whmcs 😉 and remove your Brand .

 

For this entry I am ready to receive my first warning.

P.S. I like the Frog - Story think about it.

Sorry I'm not the native english speaker so sorry for my grammar and expression.

Greetings from Germany 

Christian

 

 

 

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Similar Content

    • By ModulesGarden
      Hello to every WHMCS enthusiast!
      It is an immense pleasure to announce that following the WHMCS V7.6 release, ModulesGarden team is setting about upgrading our WHMCS gear.
      Once all the necessary compatibility adjustments have been made, we will be putting the already tested products on a list.
      That way you will easily see which modules can be safely installed in the WHMCS V7.6 environment.

       
      Head over to ModulesGarden Forums for the freshest updates and follow the progress regularly!
    • By So, who am I ?
      Hello
       
      I use OrderDomainPricingOverride hook to change some domain price manually, I need two registrars to use this hook, but when I add hook file to the second registrar's folder I get blank page and the whole site shuts down.
       
      I don't use any registrar function in the file, I just check domain's sld and tld and generate price, how can I manage to use the hook for both registrars ?
      this is my whole hook file:
      <?php /** * WHMCS SDK Sample Registrar Module Hooks File * * Hooks allow you to tie into events that occur within the WHMCS application. * * This allows you to execute your own code in addition to, or sometimes even * instead of that which WHMCS executes by default. * * WHMCS recommends as good practice that all named hook functions are prefixed * with the keyword "hook", followed by your module name, followed by the action * of the hook function. This helps prevent naming conflicts with other addons * and modules. * * For every hook function you create, you must also register it with WHMCS. * There are two ways of registering hooks, both are demonstrated below. * * @see https://developers.whmcs.com/hooks/ * * @copyright Copyright (c) WHMCS Limited 2016 * @license https://www.whmcs.com/license/ WHMCS Eula */ // Require any libraries needed for the module to function. // require_once __DIR__ . '/path/to/library/loader.php'; // // Also, perform any initialization required by the service's library. /** * Register a hook with WHMCS. * * add_hook(string $hookPointName, int $priority, string|array|Closure $function) */ add_hook('AdminHomeWidgets', 1, function() { return new SampleRegistrarModuleWidget(); }); add_hook('OrderDomainPricingOverride', 1, function($vars) { // Perform operations to determine price // logActivity('OrderDomainPricingOverride 900', 0); $domain = explode('.', $vars['domain']); $sld = $domain[0]; $tld = '.' . $domain[1]; $domain_name = explode('.', $vars['domain']); if(count($domain_name)==2 && strlen($domain_name[0])==2 && $domain_name[1]=='ge'){ return 900.00; } }); /** * Sample Registrar Module Admin Dashboard Widget. * * @see https://developers.whmcs.com/addon-modules/admin-dashboard-widgets/ */ class SampleRegistrarModuleWidget extends \WHMCS\Module\AbstractWidget { protected $title = 'Sample Registrar Module'; protected $description = ''; protected $weight = 150; protected $columns = 1; protected $cache = false; protected $cacheExpiry = 120; protected $requiredPermission = ''; public function getData() { return array(); } public function generateOutput($data) { return <<<EOF <div class="widget-content-padded"> Your widget output goes here... </div> EOF; } }  
       
    • By krt463
      Hello,    I searched the marketplace and couldn't find anything and I'm surprised even searching the forums something didn't turn up.
      Is there such thing as a module we can associate to a product/service that links the customer to an external URL when they click on it?    For example, if you have a hosted product that uses the plesk module, they currently click to "open control panel".     I'd like to have a product so they have the option to click and  it goes to AnyURLxxxwhatever.com      Is there such an animal?
      Thanks in advance!  
      Ken
    • By HardSoftCode
      It's the best time of the year to keep up with most talked about season.
      Don't miss our biggest Black Friday deal ever.
      Save 50% on all our products. Use promo code BlackFriday50% at checkout. Now through Thursday, November 30
      Our Products Page Click Here
    • By wsa
      We just finished updating the Cancellation Addon to v3.2.0 to work on WHMCS v7.3 and PHP 7
      Find out more about Cancellation Addon from WHMCS
      Screenshot: Click Here
      Sale Price:
      Owned License: $20.99 USD Click Here
      Click HereTo View All WHMCS Addons By WHMCSServices
      Do You Need Custom Development? Click Here
      Latest Release:
      Client Notifications 5.0.3
      Client Limitation 3.0.0
      Email Verification Extended 6.0.1
      Gateway Fees 3.2.1
      SMS Manager 5.1.0
      Coming Soon:
      Ticket Number Restriction 2.0.0
      PayPal Extended 4.0.0
      Backup Module 1.0.0
      Our Social Media:
      WHMCSServices on Facebook
      WHMCSServices on Twitter
       
  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

By using this site, you agree to our Terms of Use & Guidelines