Jump to content
Sign in to follow this  

Mass Bogus New Account Creation

Recommended Posts

For a while there I thought the bogus account creation was behind us.

But in the past few months I've seen a major uptick in bogus European new account creation.

Some bot out there are mass injecting new accounts nearly constantly. 

Anyone one else seeing this?

I see no way to stop it.

Anyone have recommendations on reducing the number of injected accounts into WHMCS?


Share this post

Link to post
Share on other sites

We allow signup only with a purchase.  That stops all the bot signups.
I'm curious how they're "injecting" accounts.  Do they go through the signup form, or are these simply appearing?

Share this post

Link to post
Share on other sites
Posted (edited)


Simply appearing,

So I suspect there is an exploit in the WHMCS that's allowing injection, without proper sanitizing of entry data. 

Yes there a Google CAPTCHA on page as well, so hacker is getting around that.

It's WHMCS exploit issue as far as I can tell.

This should not be possible, if the create account script had proper safeguards in place.

I might get 10 new account submissions in a the span of a few minutes from various IP addresses.

Attached is sample list of connections from one hacked server apparently.



Edited by TheHackRepairGuy
adding file

Share this post

Link to post
Share on other sites

Did each of those connections from that VPN (ipvanish) cause a new account?

Share this post

Link to post
Share on other sites

You need to match up the time of the account creation and the page they hit in the server logs. That's where I'd start. 
Is this WHMCS installation isolated from other software and users (like on a VPS all by itself, no Wordpress, etc)? If not, I'd be checking that vector as well. 

Share this post

Link to post
Share on other sites

OK, so the visitors are connecting to the normal signup pages, and you allow signups without purchase. Someone is connecting repeatedly over a VPN and setting up accounts and not being stopped by Recaptcha, so you feel WHMCS is hacked? Have I missed anything?

Share this post

Link to post
Share on other sites

Not hacked, just susceptible to account creation exploits apparently.

Has been this way for 10 years.

Hoped they'd improved security by the latest version, but apparently not.

CAPTCHA is either failing to block bots or hackers have found a way to bypass it.


Share this post

Link to post
Share on other sites

This is not a WHMCS security issue, as far as I can see. If the method you're using for signups isn't preventing this, that means it's probably a failure of ReCaptcha combined with  allowing signups without a purchase. If you're using invisible recaptcha, change that to challenge/response and see if it helps. If that also fails to stop them, I'd suggest shutting off signups without a purchase, even if just for a while, if that's possible. 

I'd try the captcha first, and see if it does anything. 

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Similar Content

    • By thisismatt
      Hey all
      I have a few clients who don't host either websites or email with me, just using my domain registration services and have me manage their DNS for them. Historically though, they have had one, or both, of their site/email with me, so I need to do some housekeeping!
      I found this post giving one example of how to manage these clients within WHMCS effectively, which would deal with onboarding a new 'DNS only' client and tidy up those existing clients.
      The post though is nearly 6 years old; has anyone else got any other ways to handle this scenario - which is creating a WHMCS account for a client who doesn't need web or email hosting, but their DNS records need to be managed.
    • By HardSoftCode
      What is suspend client account?
      The suspend client account module for WHMCS was created to ensure that admin can have better control over the client account for violation the policies or terms of service. In the new suspend client account module, WHMCS will have a new option beside the close account and delete account options. With this module, admin will be able to suspend and set client account for auto termination. Once the suspension has been approved, the client will receive a warning notification and will then finally automatically be suspended. The timeline for when these notifications gets sent out, as well as when the actual suspension takes place, can be set up under the client profile section. After the client has been suspended, you will have the option to pause their suspension (unsuspend the client). This will allow time for the client to make changes and send the proof of fixing the violation. When the time limit has been reached and the client has not made any changes to fix the violation, the client account will be deleted or closed depends on the setting you setup. Please note that when the client account is suspended, that the billing will not be stopped. In other words, even though the account is suspended, the client will receive their monthly invoice.
      Why do you need suspend client account module?
      If you fell that your clients do not follow the website policies, terms of service or there is suspicious activity in client account like logged in from another country or using a VPN. You need to act and suspense the client account and send the client a warning notification. You know that WHMCS have only 2 options in client profile and they are close account and delete account and they are not a good solution for this kind of situation.
      How it works?
      After activating the suspend client account you can configure the module to suit your needs by going to configuration and select the type of suspension also you can set account termination type and enter the number of days for closing or deleting the client account if suspended. You also can select the support department you want the client to contact support. From the reason messages section, you can create unlimited suspension messages or edit the existing one to use them within the module. By going to the client profile section and looking at the other actions menu, you will see suspend client account added to the menu by clicking on the link you will have the option to select a reason for suspending the account or enter a custom reason message also you can send email notification to the client about suspending the account.
      3 types of suspension Logout the client if he tries to click any link 2 types of account termination Set the number of days for account termination Set the support department Suspend account reason message List suspended accounts Email notification For more details and screenshot visit the product page
    • By andyhughes73
      I have bought a domain on behalf of a customer, through my hosting provider. I would like to attribute this domain to my customer's WHMCS account for invoicing and renewal purposes but I'm not entirely sure how. The WHMCS system is also hosted on the same hosting provider. Not sure that's relevant, probably not.
      I have done a search to see if there are other posts but I've drawn a blank and I can't find it in the manual, or maybe I'm misunderstanding how to explain it.
      Any help would be much appreciated.
    • By battles
      I'm glad WHMCS finally came around to introducing this, however is there a way to convert our years and years of contacts/sub accounts into users?
    • By sokalsondha
      Hello Everyone.
      hope all are fine. can someone help me to modify this code a little so i can achieved what i am looking for.
      basically i have hook file for a client custom field. what the hook does is when i create a new customer its create a random 8 digit number for the custom field Account Number.
      its fine until now but the problem is
      1. This hook doesn't check the existing value in the database , so there is chance to create the duplicate account number and we cant allocate same account for two customer.
      2. once the Account created and we have the account number then any admin or staff can modify the client details form and easily change the account number. and this is another dangerous point.
      we cant change the account number for any customer. once we create the customer we will have permanent account number for that customer.
      so what can i do in this case with this hook? i have given the code in here.
      thanks again in advance
      use Carbon\Carbon;
      if (!defined("WHMCS"))
          die("This file cannot be accessed directly");
      function AccountNumber($vars) {
          $userid = $vars['userid'];
          $command = 'UpdateClient';
          $values = array(
              'clientid' =>  $userid,
              'customfields' => base64_encode(serialize(['Account Number'=>rand(11111111,99999999)]))
          $results = localAPI($command, $values);
          if ($results['result'] == 'success') {
              logActivity('Success :  Customer ID set successfully to User # '.$userid);
          } else {
              logActivity('Error :  Customer ID could not be set to User # '.$userid.'. Response : '.$results['result']);
  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated