Jump to content
Anu

whmcs module problem

Recommended Posts

I hired someone to create a payment gateway module for my WHMCS website

I'm afraid he's going to enter a php code and get our customers' details, email, phone numbers.

Is it possible to commit such thefts through the whmcs Payment Gateway module?

How can we protect our site from such a thing?

Is there a way to test it once it is created? I will make a payment if it can be done

Share this post


Link to post
Share on other sites
24 minutes ago, WM Mods said:

Post the code here and someone can inspect it.

So, he pays for something, then posts it here and everyone else gets it free? Interesting. 

Share this post


Link to post
Share on other sites

If you're not sure, Pay someone else to check it or if you're not worried about that then post here! I agree with bear posting it here means you lose your investment, So it depends what you want/need and the agreement around the development.

As for competent devs I'm at a loss to recommend anyone as the best ones have lost interest - So the most prominent would probably be someone like wgs I don't know if @bear would be able to recommend someone with experience with building payment gateways and trustworthy? There's lots of people who spam this place but I haven't used them nor heard anything good about them (Apologies if I'm forgetting someone, Send the hate mail  or correct me by all means 😝)

Share this post


Link to post
Share on other sites
On 2/22/2022 at 11:40 AM, Anu said:

Is there a way to test it once it is created? I will make a payment if it can be done

Get a dev License that way you can provide that and don't have any clients. That way you are safe.

He and you can do all the tester

Share this post


Link to post
Share on other sites
Posted (edited)
On 2/22/2022 at 5:40 PM, Anu said:

Is it possible to commit such thefts through the whmcs Payment Gateway module?

It is not only possible but super easy. You don't even need this backdoor to be a WHMCS module. Generally speaking you can do that in 3 ways.

One (hit and run). Place a single PHP file that does the following:

  1. Read SQL credentials and encryption hash from configuration.php
  2. Export the entire database in a zip file
  3. Send you and email with the zip as attachment and the encryption hash in the body
  4. Self-destroy the script in question so that there's no trace of what happened

Now you can comfortably decrypt all passwords and do stuff safely from your own server.

Two (backdoor). Leave the backdoor hidden somewhere in WHMCS file system. Lamers usually bury this file in weird locations (eg. vendor folder) or inject the malicous code in official files, action hooks, modules, a nulled version of WHMCS or a cracked version of popular modules and templates. Thanks to the backdoor they can connect and do things in real time or tell the script to automatically do things (eg. override your PayPal email but you would easily spot them 🤣).

Three (intelligent backdoor). The most advanced way that leaves you with no way to protect yourself unless you hire a skilled developer to inspect every line of code. Sadly even with this there's the risk you can't protect yourself as one could hide the malicious code in highly intelligent ways.

On 2/22/2022 at 5:40 PM, Anu said:

How can we protect our site from such a thing?

With scheduled checksum validations you can easily protect yourself from one and two. Unfortunately 99% of WHMCS admins don't know anything about it so lamers don't even need to be worry about more intelligent ways to hide their stuff. That's why fortunately the third way I previously described is a rarity in WHMCS.

That said, the greatest way to protect youself is trust. I mean if I had to choose between modulesgarden.com and whmcs-free-awesome-spectactural-modules.cc or an unknown dev, I'd go with MG.

Edited by Kian

Share this post


Link to post
Share on other sites
On 4/29/2022 at 7:51 PM, Kian said:

That said, the greatest way to protect youself is trust. I mean if I had to choose between modulesgarden.com and whmcs-free-awesome-spectactural-modules.cc or an unknown dev, I'd go with MG.

Hi @Kian you are absolutely correct...it's best option to go for MG

However saying that we all should note that there are too many small companies and providers using WHMCS who might not be able to afford MG. In that case what security measures they can take and valid ones... security is important for everyone smaller or bigger they are right...

@WHMCS John please advise what WHMCS techs  recommend in such cases where security should be tight and strict...Thanks 

Share this post


Link to post
Share on other sites
On 5/1/2022 at 7:29 AM, ManagedCloud-Hosting said:

 please advise what WHMCS techs  recommend in such cases where security should be tight and strict...Thanks 

Hi there,

Protecting your WHMCS installation is all about your server security; WHMCS can only ever be as secure as the server it is hosted on. I'd suggest working with qualified server administrators to ensure that appropriate server-hardening techniques are in place, suitable for a system handling sensitive customer information.  I'd caution against installing, uploading or granting access to anything or anyone you do not trust implicitly or which might be subject to weak or vulnerable coding practices/lacking in maintenance.

Guidance specific to the WHMCS software is located at https://docs.whmcs.com/Further_Security_Steps

Share this post


Link to post
Share on other sites
Posted (edited)
On 5/1/2022 at 8:29 AM, ManagedCloud-Hosting said:

However saying that we all should note that there are too many small companies and providers using WHMCS who might not be able to afford MG. In that case what security measures they can take and valid ones... security is important for everyone smaller or bigger they are right...

As I posted somewhere else on this community, the key thing is performing scheduled checks on every sensitive file (eg. php) in order to detect intruders and anomalies. I'll try to give you an idea of what I am talking about.

Let's say you are running v8. First thing first, calculate the checksum of every file contained in the official release of WHMCS. It doesn't take much time. Once finished, save all results in a file. It can be a json or PHP array. It really doesn't matter.

Now on a daily basis or more frequenty, perform the same check against your live installation of WHMCS and compare your "live" checksums with ones you have previously taken from v8 files. An image is worth a thousand words.

adf7.png.2de86163742f99ae43390413e4588d33.png

A checksum mismatch means that the file on your system (eg. cart.php) has been altered and probably contains a backdoor or injector. This can happen in multiple ways but in essence the lamer deobsfuscates an official file of WHMCS, adds its malicious code, (usually) re-obsfuscates it with ionCube and upload it on your system.

As for the upload part, you are probably thinking of things like FTP and FileZilla but it is easier and scarier than you would expect 😐

Let's suppose I manage to inject my stuff in DNSManager of Modulesgarden (this is just an example - MG are not stupid and surely know what to do). Thousands of providers upload it on their system... bingo!

At this point I just need a scraper that uses Google to find all websites powered by WHMCS and a bot that detects if they are running the DNSManager that contains my backdoor et voilà. I have a list of hundreds if not thousands of WHMCS I can violate.

As a side note, if I manage to get my hands on DNSManager, I'll probably inject my code in an official file of WHMCS or even better in a new one. Using the module as a mere trojan horse, allows me to violate your system even if you uninstall DNSManager, if you patch it or upgrade your WHMCS.

In conclusion the easiest way to protect yourself is comparing checksums and apply actions. For example personally I configured it to send me an email and neutralize suspicious files automatically (moved to quarantine directory). I don't care if my sites stops working. Security > 404 page.

adf8.thumb.png.47331b2bafed4562101e247aabffefa5.png

Possibly you should also combine it with downloading stuff only from trusted developers. A module downloaded from MG is 99.99% safe. You can say the same for random websites and developers.

Keep in mind above screenshots come from a WHMCS module I was going to release for free. Basically I was creating the interface for the script I have always used to protect my site. One time, more than a decade ago, it saved my 🍑 Someone I think I know, tried use me as a trojan horse to get to my customers but luckily this tool did his job.

I abandoned this project since at the moment WHMCS represents a microscopic part of my job. I had even calculated checksums for every file of every version and hotfix of WHMCS starting from v5 🥵 A complete waste of time 🤣

Edited by Kian

Share this post


Link to post
Share on other sites

@Kian Hi, Thanks for you detailed explanations on this topic... 

 

19 minutes ago, Kian said:

I abandoned this project since at the moment WHMCS represents a microscopic part of my job. I had even calculated checksums for every file of every version and hotfix of WHMCS starting from v5 🥵 A complete waste of time 🤣

Yes you are right one decision and life changes course...

 

21 minutes ago, Kian said:

Possibly you should also combine it with downloading stuff only from trusted developers. A module download from MG is 99.99% safe. You can say the same for random websites and developers.

Knowing and using codes / scripts / software from  trusted developers who value security  is actually the best thing to do. 

Share this post


Link to post
Share on other sites

That's actually very insightful - shame watchdog never made it into the wilderness! Although didn't MG or one of the big ones get hacked?  Anyway, hope you're keeping well and looking forward to leap! We'll be sponsoring when you open up to public sponsors! 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated