Jump to content

Mass Bogus New Account Creation


Recommended Posts

For a while there I thought the bogus account creation was behind us.

But in the past few months I've seen a major uptick in bogus European new account creation.

Some bot out there are mass injecting new accounts nearly constantly. 

Anyone one else seeing this?

I see no way to stop it.

Anyone have recommendations on reducing the number of injected accounts into WHMCS?

Thanks.

Link to comment
Share on other sites

 

Simply appearing,

So I suspect there is an exploit in the WHMCS that's allowing injection, without proper sanitizing of entry data. 

Yes there a Google CAPTCHA on page as well, so hacker is getting around that.

It's WHMCS exploit issue as far as I can tell.

This should not be possible, if the create account script had proper safeguards in place.

I might get 10 new account submissions in a the span of a few minutes from various IP addresses.

Attached is sample list of connections from one hacked server apparently.

 

ipvanish.com.jpg

Edited by TheHackRepairGuy
adding file
Link to comment
Share on other sites

You need to match up the time of the account creation and the page they hit in the server logs. That's where I'd start. 
Is this WHMCS installation isolated from other software and users (like on a VPS all by itself, no Wordpress, etc)? If not, I'd be checking that vector as well. 

Link to comment
Share on other sites

OK, so the visitors are connecting to the normal signup pages, and you allow signups without purchase. Someone is connecting repeatedly over a VPN and setting up accounts and not being stopped by Recaptcha, so you feel WHMCS is hacked? Have I missed anything?

Link to comment
Share on other sites

This is not a WHMCS security issue, as far as I can see. If the method you're using for signups isn't preventing this, that means it's probably a failure of ReCaptcha combined with  allowing signups without a purchase. If you're using invisible recaptcha, change that to challenge/response and see if it helps. If that also fails to stop them, I'd suggest shutting off signups without a purchase, even if just for a while, if that's possible. 

I'd try the captcha first, and see if it does anything. 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated