Admin Breach

[BenHarris]

Hi there.

 

Ive been using WHMCS for about 12 months now, and never had any problems. Today. I recieved two failed login attmets from an IP address in Turkey to a user I did not create.

 

Login Time : Last Access : Logout Time : Username : Access IP Address

24/03/2008 15:06 : 24/03/2008 15:06 : 26/03/2008 18:11 : admin2 : 88.***.151.177

24/03/2008 15:05 : 24/03/2008 15:05 : 24/03/2008 15:06 : admin2 : 88.***.151.177

24/03/2008 14:59 : 24/03/2008 15:04 : 24/03/2008 15:05 : admin2 : 88.***.151.177

 

There are no other unauthorised logins on either of the other usernames. I am therefore assuming that the install must have been exploited in some way. I am running version 3.6.0, and have no modifications. All files are chmodded correctly.

 

What would you recomend I do?

 

I have requested that the IP address is blocked at node/router level at the DC.

 

Regards

 

Ben Harris

[Troy]

If the login attempts failed, there is no security breach. Or am I missing something?

[WHMCS Andrew]

we always recommend following these security steps after installing WHMCS: http://wiki.whmcs.com/Furthur_Security_Steps

[BenHarris]

No, I discovered the user like yesterday, and deleted it. He obviously tried to login again today, and failed. I just dont want it to happen again. He has an open router, so I logged into it and changed his routers firewall to block all ports which should give me some time to sort it out lol.

 

Cheers for that Andrew.

 

Ben

[WHMCS Andrew]

Hi Ben,

 

can you see in the Admin log/activity log a time when you logged in when you didnt?

 

If no, it may suggest a server breach rather than WHMCS breach

[apollo1]

we always recommend following these security steps after installing WHMCS: http://wiki.whmcs.com/Furthur_Security_Steps

 

Hi Andrew

 

Good tips, thanks. I followed the instructions to change the admin folder name, but now when I navigate to my admin (using the new folder name) I get this:

 

Your license is invalid. Possible reasons for this include:

 

* An incorrect license key has been used

* The IP Address your system is using has changed

* The domain you are using has changed

* The directory you are using has changed

 

You can reissue your license from the WHMCS client area to save the new IP, Domain & Directory settings and get your WHMCS system working again.

 

Want to change your license key? Click here

 

Did I do something wrong or is this normal?

[WHMCS Andrew]

Hi,

 

Sorry - should have mentioned.

 

When you change your Admin directory, you would need to reissue your WHMCS License

[BenHarris]

Hi Ben,

 

can you see in the Admin log/activity log a time when you logged in when you didnt?

 

If no, it may suggest a server breach rather than WHMCS breach

 

There appears to be nothing wrong in the activity log, and the admin log's that are unauthorised are posted in the top post.

 

Ben

[BenHarris]

In reference to apollo1's post, I just changed the admin directory, and wasnt forced to reissue my license.

 

Oh well, must be a 3.6.0 update?

 

I also moved all three of the suggested directories outside of the publicly accessable site.

 

Cheers

 

Ben

[apollo1]

I reissued my license and all is working fine now. I am using 3.6.0.

[BenHarris]

maybee its because i changed the config file before changing the directory. Oh well.

 

Ben

[generic]

so have you figured out if this was your server or whmcs?

 

from what you are saying, there is nothing in the logs showing thats how they got in?

[BenHarris]

ahh, it obviously only does the checks every now and then (probs with the crons). Im getting the message too now. Oh well, I'll just go re-issue

 

On a more serious note. I just found 2 more unauthorised logins

 

28/03/2008 15:50 28/03/2008 15:50 28/03/2008 16:04 myusername 81.***.255.144

26/03/2008 18:11 26/03/2008 18:13 26/03/2008 18:14 admin2 85.***.150.148

[WHMCS Andrew]

ok:

1. Change your WHMCS password
   
2. If you changed your Admin Directory and didn't tell anyone - it sounds like they have access to your server
   
3. Change your server password. Be this WHM, cPanel, DirectAdmin, Plesk, Root - any password you can think of - change it.
   
4. Make sure your email address isn't forwarding anywhere else

If there is anything else I have missed - let me know! hehe

[BenHarris]

*sigh*

 

Ive done all of that. Im just trying to draw up the relevant access logs now.

 

Ben

[Chrisw]

This is not the first time I heard this story... password protect your admin area with .htaccess

[MACscr]

No, I discovered the user like yesterday, and deleted it. He obviously tried to login again today, and failed. I just dont want it to happen again. He has an open router, so I logged into it and changed his routers firewall to block all ports which should give me some time to sort it out lol.

 

Cheers for that Andrew.

 

Ben

 

So your saying that there was a admin username in your whmcs admins listing that you did not create? Thats a scary thought.

[mylove4life]

this might be more serious now, have a pro go thru it and look for a root kit and the like.... If it was me and u can, I would reformat and install a fresh OS on the box and go from there... It sucks I no, but you have to be save...

[BenHarris]

So your saying that there was a admin username in your whmcs admins listing that you did not create? Thats a scary thought.

 

Yes, the user "admin2" was created. It was an exact duplicate of my own account excluding the password and username. I discvered it when I went to flag a ticket and there were 2 "Ben Harris" options.

 

this might be more serious now, have a pro go thru it and look for a root kit and the like.... If it was me and u can, I would reformat and install a fresh OS on the box and go from there... It sucks I no, but you have to be save...

 

Im going through all of the access logs now. But there are thousands and thousands of entries for the time period its over.

 

Ben

[generic]

FYI, I had someone from iraq playing with my server yesterday, ip was 81.90.18.33.

 

They did signup through whmcs in my system without a credit card and then they also signed up for an account on an oscommerce site I am hosting for a client.

 

I really wish whmcs did not send anything out until the card gets processed. As it is now, a fake card still sends out a welcome email and an email that your card did not process. (they already know this because they tried signing up and could not) but they still get emails from whmcs. (not the end of the world, just a wish)

 

Something was not right, but i couldnt figure out what they were doing other than probing the ordering systems so I just chose to ban all iraq ip addresses from my server at the firewall level.

 

Yet another reason not to advertise your whmcs site here in these forums... with all the "check out my site and my admin area posts", its like open season for hackers.

[BenHarris]

yep, hence I have never mentioned my site on here

[chrismfz]

ok:

 

1. Change your WHMCS password

2. If you changed your Admin Directory and didn't tell anyone - it sounds like they have access to your server

3. Change your server password. Be this WHM, cPanel, DirectAdmin, Plesk, Root - any password you can think of - change it.

4. Make sure your email address isn't forwarding anywhere else

 

If there is anything else I have missed - let me know! hehe

 

Create a htaccess file in the admin directory

and force apache Auth before whmcs Authentication

create a user with htpasswd or find a site htaccess generator

like http://www.webmaster-toolkit.com/htaccess-generator.shtml

So, everyone have to pass through Apache's Authentication first to see admin/index.php

or ANYTHING in the /admin/ directory

 

.htaccess file:

AuthUserFile /full/path/to/.htpasswd
AuthType Basic
AuthName "My Secret Folder"
Require valid-user

 

I also use something SIMILAR to that (I cant tell in public) for "extra" peace of mind:

 

.htaccess file 2:

RewriteEngine On 
RewriteCond %{SERVER_PORT} 80 
RewriteCond %{REQUEST_URI} somefolder 
RewriteRule ^(.*)$ https://www.domain.com/somefolder/$1 [R,L]

 

So I "force" a SSL login to the admin page by default.

 

Regards,

Chris

[BenHarris]

Chris,

 

Im not a great fan of the first htaccess (however may use it in the future if needs be), however, the second one is a very good idea. I have just implimented that now.

 

You may also be interested in one of my new methods of security which allows only selected IP addresses/ranges to login.

 

I basically know that there are only 4 subnets that I will need to login from. So I use this in my htaccess

 

# This htaccess is designed to allow access to only certain IP addresses/ranges
Order Deny,Allow
Deny from all

# Location 1
Allow from 111.111.

# Location 2
Allow from 222.222.
Allow from 223.223.

# Location 3
Allow from 333.333.333.333

 

Basically, Location 1 has a dynamic IP, but the subnet is always the same, Location 2 the subnet varies (between 2 subnets), Location 3 has a static IP.

 

The example in location's 1 & 2 mean that anything from 111.111.0.0 - 111.111.255.255 can login essentially.

 

Works well, and means those Turkish IP's cant get near my admin area. (If they manage to work out where it is that is )

 

Regards

 

Ben

 

EDIT: Sorry about my comments, I always comment my htaccess lol

[chrismfz]

If the server has Configserver Firewall and Monitor can identify & block brute force

attack based on htaccess Authentication. So htaccess auth + configserver it's enough

for an "extra" precaution. Not only this of course

[BenHarris]

I would explain the rest, but it might defeat the point in doing it. You never know, the Turkish dude might be reading this right now

 

Anyhow. Im pretty sure that i'm secure now. I have even re-uploaded all of my whmcs files just in case

 

I also had a thought. If you move your admin directory, you could make a spoof admin directory, so they would be mindlesly brute forcing a form. Heh

 

Ben