How to disable Local API User

[elonmusk]

Hello,

Someone is creating users in my WHMCs with Local API User. How can I disable this? Kindly reply as soon as possible.

I appreciate any help you can provide.

[Azhar Patel]

@elonmusk
Check log with which API user it's getting created 

So you can edit the role assign to that user and remove API access 

Hope this will help you

[elonmusk]

I have checked all admin users' logs, and nothing shows about the API log. One admin user had API access in the permission given below:

Manage API Credentials

API Access

I have turned it off.

All I see in the activity log is a Local API User.

Does restricting Api access affect billing gateways' ability to update invoices as we use their API to update the invoice? Is there any way to turn off creating users via API?

 

Edited March 12 by elonmusk

[Azhar Patel]

No I think this is something other issue 

Can you check client create logs 

if possible post here 

[elonmusk]

Where can I check this?

[Azhar Patel]

Go to the client which seems to be created by API and there is last tab Logs 

[elonmusk]

I have deleted these clients now. I checked the logs before, and nothing was a special user created; email verification and a welcome email were there. 

it seems it is a bug in  Version 8.11.2 I have to update it first.

Edited March 12 by elonmusk

[Azhar Patel]

May be you are having spam user registration, You can simply enable captcha from setting and it will stop 

[elonmusk]

I have disabled user registrations since I am using WHMCS. The only way to create a user is when someone orders a service, and I didn't see any orders or order emails in the logs.

[WHMCS John]

Hi @elonmusk,

The LocalAPI user is invoked locally. Ie. By a file on your website that isn't a part of the stock WHMCS software.

This will likely be an after-market customisation, perhaps something like a custom order form.

I suggest comparing your WHMCS files against the stock ones for any additionals you may have, as they could be the cause.

[elonmusk]

1 hour ago, WHMCS John said:

Hi @elonmusk,

The LocalAPI user is invoked locally. Ie. By a file on your website that isn't a part of the stock WHMCS software.

This will likely be an after-market customisation, perhaps something like a custom order form.

I suggest comparing your WHMCS files against the stock ones for any additionals you may have, as they could be the cause.

I also suspect this. I use WS OnePage Checkout from @wsa, and they have not updated it to a new version even though it is not compatible with PHP 8. Their license server was also compromised before, and they released an update silently for the users. I have disabled the one-page cart for now. Let's see if it helps. I can share the file here if anyone can analyze the code.

 

@townhalldental06 What do you feel is necessary to give an opposing point? you just joined 40 minutes ago.

Edited March 12 by elonmusk

[bear]

13 minutes ago, elonmusk said:

I can share the file here if anyone can analyze the code.

If it's a paid addon, it's unlikely that would be ok with the seller, though I'm sure others (and myself) would like to try and spot the issue.

[elonmusk]

Yes, it is a paid add-on. I have also paid for the updates, but they are not updating and keep saying we are working on it. I am not sharing the license code, so files without a license code can be shared here for testing.

I also checked server access logs with the IP address used to create the user and found that the domain registration URL is showing in the logs. It does not work in PHP 8, so I was using PHP 7.4. I have also requested it many times here, but it has not been updated yet. All the IP addresses used by users have the same domain registration URL.

 [12/Mar/2025:09:36:19 +0000] ＂GET /cart.php?a=add&domain=register HTTP/2＂ 302 0 ＂-＂ ＂Mozilla/5.0 (iPad; CPU OS 17_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/132.0.6834.100 Mobile/15E148 Safari/604.1＂＇


[12/Mar/2025:09:36:19 +0000] ＂GET /index.php?m=opc&domainaction=register HTTP/2＂ 200 13722 ＂-＂ ＂Mozilla/5.0 (iPad; CPU OS 17_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/132.0.6834.100 Mobile/15E148 Safari/604.1＂＇


 [12/Mar/2025:09:36:20 +0000] ＂POST /cart.php?a=add&domain=register HTTP/2＂ 302 0 ＂https://xxxx.com/cart.php?a=add&domain=register＂ ＂Mozilla/5.0 (iPad; CPU OS 17_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/132.0.6834.100 Mobile/15E148 Safari/604.1＂＇


 [12/Mar/2025:09:36:20 +0000] ＂POST /index.php?m=opc&domainaction=register HTTP/2＂ 200 25 ＂https://xxx.xom/cart.php?a=add&domain=register＂ ＂Mozilla/5.0 (iPad; CPU OS 17_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/132.0.6834.100 Mobile/15E148 Safari/604.1＂＇

 

[bear]

1 hour ago, elonmusk said:

All the IP addresses used by users

You didn't show the IP, but it should be simple enough to block that while investigating.

[elonmusk]

The WS OnePage Checkout @wsa caused the issue. After I removed it from my server, no new user spam signup with the local API was detected again.

I also suspect that they have access to our database. Someone from outside can create user accounts without signing up using their OnePage Checkout, which means they also have access ( including @wsa ) to our database. Additionally, their script coding is encrypted. Coding should be open source in WHMCS/addon/theme so users can analyze the code. I've never seen this in other scripts; it is unique to WHMCS.

[bear]

5 hours ago, elonmusk said:

Coding should be open source in WHMCS/addon/theme so users can analyze the code.

Though I agree in theory, the copying and repackaging of WHMCS addons is already a major issue for devs. Open code would make that worse. 
I don't generally condone using decrypters, but in this case, if you're sure the script includes an actual back door, it may be warranted to do so. More likely it's just a flaw, but if it's intentionally in the code, that would be helpful to find out. 
I don't suggest you then share any of it, with the possible exception of the WHMCS staff. Your call. 

[wsa]

On 3/12/2025 at 1:00 PM, elonmusk said:

Yes, it is a paid add-on. I have also paid for the updates, but they are not updating and keep saying we are working on it. I am not sharing the license code, so files without a license code can be shared here for testing.

I also checked server access logs with the IP address used to create the user and found that the domain registration URL is showing in the logs. It does not work in PHP 8, so I was using PHP 7.4. I have also requested it many times here, but it has not been updated yet. All the IP addresses used by users have the same domain registration URL.

 [12/Mar/2025:09:36:19 +0000] ＂GET /cart.php?a=add&domain=register HTTP/2＂ 302 0 ＂-＂ ＂Mozilla/5.0 (iPad; CPU OS 17_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/132.0.6834.100 Mobile/15E148 Safari/604.1＂＇


[12/Mar/2025:09:36:19 +0000] ＂GET /index.php?m=opc&domainaction=register HTTP/2＂ 200 13722 ＂-＂ ＂Mozilla/5.0 (iPad; CPU OS 17_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/132.0.6834.100 Mobile/15E148 Safari/604.1＂＇


 [12/Mar/2025:09:36:20 +0000] ＂POST /cart.php?a=add&domain=register HTTP/2＂ 302 0 ＂https://xxxx.com/cart.php?a=add&domain=register＂ ＂Mozilla/5.0 (iPad; CPU OS 17_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/132.0.6834.100 Mobile/15E148 Safari/604.1＂＇


 [12/Mar/2025:09:36:20 +0000] ＂POST /index.php?m=opc&domainaction=register HTTP/2＂ 200 25 ＂https://xxx.xom/cart.php?a=add&domain=register＂ ＂Mozilla/5.0 (iPad; CPU OS 17_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/132.0.6834.100 Mobile/15E148 Safari/604.1＂＇

 

Can you please open a ticket to my team can look in to this