Hacked

[Sonu2007]

My Whm hacked many times. and they changes paypal email. don't know how they password each time.

also they done some modification in each and every account.

 

how i stop it. now i protected admin area by http password.

 

Thanks

[bear]

There are many ways something could be accessed. You will need to determine how they're getting in before you can determine how to stop them. Check logs, ask your provider...that sort of thing.

[bluenova]

A couple of steps I took...

 

1. Move the location of the admin directory to a nondescript location.

 

2. Make a master account with full access and a very strong password, don't use this account for daily use and change the password on a regular basis. Make limited accounts for your admins daily use, where they cannot change things like payment gateways and server settings. Make sure your admins change their passwords on a regular basis and use strong passwords.

[Sonu2007]

it is possible to rename admin dir. to other? how?

 

i have only administrator access.

 

Thanks

[BAJI26]

Look here: http://wiki.whmcs.com/Furthur_Security_Steps

[simplybe]

If you have been hacked many times it is possible you are leaking the login details. Check your pc for keyloggers.

[handsonwebhosting]

There were some incidents on another forum that I visit that were having FTP compromised through iFrame injection attacks. As stated by simplybe, it's likely that you have a keylogger on your computer if you're changing passwords and they're still getting in with the correct password.

 

Two things:

http://www.kaspersky.com/ --- get it. They seem to do a better job finding keyloggers

 

The other is to change the passwords on the server using ANOTHER computer. It sure sounds like your computer you're using is compromised.

[jozeph]

setup htaccess for you admin directory!

[handsonwebhosting]

If it's a keylogger then any time you TYPE it will log it. So putting an extra layer of protection does no good if the system is infected.

[Sonu2007]

If it's a keylogger then any time you TYPE it will log it. So putting an extra layer of protection does no good if the system is infected.

 

no not have keylogger on my pc. i am using kaspersky from 3 years. when i searched i forund c99 shell in my whmcs dir. and 1 whmcs database backup file of 1 reputable hosting provider.

also i am always use system generated password

don't know how they done

 

Thanks

[bear]

That file was found in which directory, the main one, or one of the writable ones?

Is this on the same server as your clients/customers?

Are there other WHMCS installs on this server?

Is this a licensed installation of WHMCS (no offense intended)?

[Sonu2007]

file found in main directory

yes same server

no only 1 whmcs installed

yes licensed whmcs

[bear]

If it was in the main directory, that implies it was via FTP or some local shell. Unless the server/account/directory had incorrect permissions or settings, an intruder should not have been able to upload a file there without other credentials.

 

Did you check the FTP logs around the time of the timestamp on the shell script?

What about the cpanel logs for access through that?

Have you grepped the domlogs for mention of the file name?

Have open_basedir protection on?

PHP up to date?

 

I'd also be curious to know how someone on your server had the database backup of someone else's WHMCS if no others are installed there. I'd check the logs for that filename as well, and suggest you do a security audit of your server right away. If you aren't familiar with the steps, you should hire someone to do it for you.

[Vincent Vega]

Check if it is possible that they access your sql server.