Fake Admin Login Page

[BenHarris]

Hah Dan, I was gonna do that

[Zorro67]

I've recieved about 5 from some of your logins, and I have to say some of them look like they might be your real WHMCS logins.

 

ben, I have to stick my hand up as not knowing about the email to you. I have since changed. Appreciate the followup

 

Again, great work

[Shimmy]

This is fantastic, thanks for your hard work.

 

I have to say that I'm guilty about the email as well...but it's not my real login info.

 

Also, when I go to the fake page, the "Login Failed. Please Try Again.

Your IP has been logged and Admins notified of this failed attempt." is already showing...is it supposed to do this or did I not read something right?

[BenHarris]

Its just hardcoded. I will probably make it more dynamic some time, but Im having some dam server quota issuse at the moment. Were gonna have to take the server down for 5 hours tomoro to upgrade the OS and all that.

 

And dont worry about the emails. If your lucky, I might make a dummy login to say Hi

 

Its nice to see people using it

 

Ben

[Zorro67]

Hi guys,

 

having real problems using this mod.

 

becasue you are changing when the name of the admin directory, a licence re-issue is required (obvoiusly)

 

However, the new licence key that i get doesn't work, so the admin section is no longer accessable.

 

i had read earlier in the thread about a notation to add to the configuration.php file, but another recent thread mentioned that this notation {$customadminpath="renamedadmindirectory"} is for the purposes of links in admin emails, and not for the path of the actual admin directory.

 

http://forum.whmcs.com/showthread.php?t=2208

 

So i can get this to work well, until i update my licence key, then I am 'bugggred'

 

given that WHMCS polls your licence key weekly, not everone using this mod may have yet "hit the wall".

 

If i am mistaken, please feel free to correct me, better yet, suggest a fix.

 

 

PS for clarification:- my licence is leased through a local reseller, not owned (i like dealing with local people, ok. Got a beef with that? )

[Nick]

given that WHMCS polls your licence key weekly, not everone using this mod may have yet "hit the wall".

 

I think WHMCS checks immediately if it knows something has changed (I.E. IP, path, domain). Its weekly polls are to check if a license has been revoked or changed without any changes locally.

[Daniel]

Thats how I thought it worked too.

 

Zorro - Had you changed your admin directory before installing this mod or at the same time?

 

Try reissuing the license again, I don't see why it would work or how this mod would affect that.

[Shimmy]

If you go into your client area here on WHMCS you can reissue your license. I did and it worked fine.

[BAJI26]

I think that the link to the new folder hasn't been applied to the license.

[Zorro67]

My re-seller issue theincorrect licence no.

 

Once they re-issued the licence number properly the system worked fine.

If you have similar problems, its most likely to be a licence issue (assumuming you've correctly configured).

 

Cheers

[indtg]

Make sure you also update the link for your cronjob.

 

See Configuration > Automation Settings for the updated link.

[drtduarte]

This mod is great, it was in my to do list, just trying to figure how to change the date to dynamic...

 

[Daniel]

The dynamic date code is in my original file. Take a look at that and edit Bens login template.

[drtduarte]

Ohhh too late I have finished my own code, in a more complicated way... I'm not a php coder.

 

My code:

<?php

$full_text_day = date("l");

$day = date("jS");

$full_text_month = date("F");

$year = date("Y");

$time = date("g:ia");

?>

 

<?php

echo $full_text_day; ?> <b>|</b> <?php echo $day;?> <?php echo $full_text_month;?> <?php echo $year;?> <b>|</b> <?php echo $time;?></div>

 

LOL I know...

 

Aniway I found that to be exactly like the original you need to replace:

print date("dS F Y");

 

by

 

print date("jS F Y"); - will print the day without the leading zero, as on the original.

 

Thanks to all

David

[drtduarte]

Any plans to build the Forgotten password page?

[Mjhorsy]

Works! Thanks alot.

[meeven]

Make sure you also update the link for your cronjob.

 

See Configuration > Automation Settings for the updated link.

 

Useful tip, but WHMCS automatically updates the cron settings, at least in 3.6

[BAJI26]

Useful tip, but WHMCS automatically updates the cron settings, at least in 3.6

 

I think he meant you must change the admin dir in cPanel >> Cron with the updated one in Whmcs Admin Panel.

[columbusgeek]

No wonder none of my monthly invoices got sent. Thanks INDGT.

[iLLuSi0nS]

I have been reading this post, and think this is a great idea, but wouldnt password protecting the admin directory solve this problem? I mean, i have set a 24 digit alpha numeric password that is pretty much un hackable, and even after that, you still have the whmcs login.

 

If a hacker wants to get in and is really really dedicated, they will get in, doesnt matter what you do.

[webadpro]

iLLuSi0nS, this is not for security but just for tricking the hacker, thinking that he is on the right login page.

[ur]

yes, password protecting with htaccess or httpd.conf entries along with a password file outside the document directory is easiest and relatively secure. just don't use silly usernames and passwords, as illusions points out

 

One note about htaccess ... remember the licensing. We noticed that on occasion the licensing would get invalidated, so now we have allowed the licensing server to our install.

 

Also instead of using htaccess with passwords, you can also use static ips.

 

here's a short quick method:

 

<Files ~"^.htaccess$">

order allow,deny

deny from all

</Files>

 

ErrorDocument 403 /403.shtml

 

 

# if your 403 is in the same folder as this htaccess,

# make sure to allow it and change the path on

# the error document above

 

<Files 403.shtml>

order allow,deny

allow from all

</Files>

 

AuthName "None"

AuthType Basic

 

<Limit GET POST>

order deny,allow

deny from all

 

# List of IPs to allow:

 

allow from 1.2.3.4

allow from 6.7.8.9

 

</Limit>

[ur]

iLLuSi0nS, this is not for security but just for tricking the hacker, thinking that he is on the right login page.

 

Why trick someone? just disallow it in the first place

 

YOu know what they say about security through obscurity ....

 

more ...

 

also, if you just want to know the IP looking for the admin login and want to ban their IP, you can have htaccess run a script to send it to you and even automatically add their IP to DROP in your firewall.

[Daniel]

This isn't supposed to be an alternative to properly securing your admin, it is supposed to be used in conjunction with htaccess on your real directory and all other methods.

[brianoz]

What would be really nice would be triggering CSF to block an IP probing your WHMCS installation. You may be able to do this with mod_security, but you'd have to do it in such a way that the 406 error wasn't visible... this would be rather nice though!