hacking Mass Bogus New Account Creation

[TheHackRepairGuy]

For a while there I thought the bogus account creation was behind us.

But in the past few months I've seen a major uptick in bogus European new account creation.

Some bot out there are mass injecting new accounts nearly constantly. 

Anyone one else seeing this?

I see no way to stop it.

Anyone have recommendations on reducing the number of injected accounts into WHMCS?

Thanks.

[bear]

We allow signup only with a purchase.  That stops all the bot signups.
I'm curious how they're "injecting" accounts.  Do they go through the signup form, or are these simply appearing?

[TheHackRepairGuy]

 

Simply appearing,

So I suspect there is an exploit in the WHMCS that's allowing injection, without proper sanitizing of entry data. 

Yes there a Google CAPTCHA on page as well, so hacker is getting around that.

It's WHMCS exploit issue as far as I can tell.

This should not be possible, if the create account script had proper safeguards in place.

I might get 10 new account submissions in a the span of a few minutes from various IP addresses.

Attached is sample list of connections from one hacked server apparently.

 

Edited August 25, 2021 by TheHackRepairGuy
adding file

[bear]

Did each of those connections from that VPN (ipvanish) cause a new account?

[TheHackRepairGuy]

Yes.

[bear]

You need to match up the time of the account creation and the page they hit in the server logs. That's where I'd start. 
Is this WHMCS installation isolated from other software and users (like on a VPS all by itself, no Wordpress, etc)? If not, I'd be checking that vector as well. 

[TheHackRepairGuy]

Is it's own account.
Connecting to usual pages on site to create account.

[bear]

OK, so the visitors are connecting to the normal signup pages, and you allow signups without purchase. Someone is connecting repeatedly over a VPN and setting up accounts and not being stopped by Recaptcha, so you feel WHMCS is hacked? Have I missed anything?

[TheHackRepairGuy]

Not hacked, just susceptible to account creation exploits apparently.

Has been this way for 10 years.

Hoped they'd improved security by the latest version, but apparently not.

CAPTCHA is either failing to block bots or hackers have found a way to bypass it.

 

[bear]

This is not a WHMCS security issue, as far as I can see. If the method you're using for signups isn't preventing this, that means it's probably a failure of ReCaptcha combined with  allowing signups without a purchase. If you're using invisible recaptcha, change that to challenge/response and see if it helps. If that also fails to stop them, I'd suggest shutting off signups without a purchase, even if just for a while, if that's possible. 

I'd try the captcha first, and see if it does anything.