Hacked

[TheHostHouse]

Now, first of all... I'm not sure if this is a problem with WHMCS or some other piece of software with a security hole, but I thought I should post here.

 

Our WHMCS got hacked earlier today and the hacker sent out a to be honest, unacceptable email to all clients, I won't go into detail but lets just say it directly insulted them.

 

Now apart from ruining our reputation and client relationships, I am now completely paranoid that it will happen again. I'd also like to know how it happened in the first place. The hacker signed up for a hosting account, and then sent the email. I have no idea how he/she did it, but when I look at the admin log in WHMCS, it shows the username "hacked" as logging in (see image).

 

 

Just a warning to everyone out there. His IP address was 86.132.228.82.

[hightekhosting]

This is the first time I've ever heard of this happening.

 

That said, the only way I can see this occurring is if you have an insecure password, but hey, I can be proven wrong.

 

You'd best be lodging a ticket right away, mark it urgent.

[TheHostHouse]

That's true, but even if the password was slightly insecure, he got in straight away on the first attempt. I didn't get any emails about anyone logging in incorrectly and I even checked the apache logs.

 

It couldn't have just been a lucky guess. He must have got it from somewhere.

[Daniel]

Do you use this password anywhere else? I.e on forums etc?

 

Which version of WHMCS are you using?

[TheHostHouse]

I use a variation of that password on forums yeah. Bad idea I know.

 

And I'm using the latest version of WHMCS. I just had a reply from Matt, so I'm going to go and check the server logs to see exactly what was going on.

[apollo1]

Someone on WHT mentioned there was talk on a security mailing list out there about a very recent exploit in WHMCS floating around. Does anyone know anything about this?

[AndrewMKP]

Anyone have any updates on this?

[pdpd]

Yep - sounds worrying. An update would be good.

[KuJoe]

Were these e-mails sent as a Mass E-mail or each one sent individually? In any case, I've disabled Mass E-mail from all Administrator Roles. Is there anyways to remove this feature (Mass E-mail) from the code to prevent it from ever being used?

[pdpd]

I dont think it matters really how they were sent.

The issue is that someone has logged into his admin area?

[KuJoe]

Yes but if all they were able to do was send out e-mails then I am wondering how to prevent mass e-mails from being sent out.

[AndrewMKP]

An answer to that is create a top admin account and then create a new user with limited options such as yourself and restrict what you like there.

 

But anyway back to the topic...

[BionicInternet]

seems to me like aload of old tosh

[danami]

Grep through your access logs for the hackers IP address first. Also is this on a shared or dedicated server? I know that all PHP's including 5.26 have safe_mode bypass exploits. Then check your desktop machine for keyloggers.

[apollo1]

Maybe you can start by adding the following .htaccess in your WHMCS admin folder:

 

Order Deny,Allow
Deny from all
#Change 9.9.9.9 to your IP
Allow from 9.9.9.9

[merlinpa1969]

The part that makes me go Hmmmmm

is they actually LOGGED into the admin

and did it in one try

 

this makes me wonder who you might have ticked off that knows your general password?

who do you know in London?

[TheHostHouse]

The part that makes me go Hmmmmm

is they actually LOGGED into the admin

and did it in one try

 

this makes me wonder who you might have ticked off that knows your general password?

who do you know in London?

 

No one except me knows the password. I've spoken to Matt and he's certain it's not a problem with WHMCS. I hadn't yet followed the furthur security steps in the WIKI to secure the writeable dirs. It's most that likely someone got direct access to the database some other way.

 

And what does me knowing anyone in London have to do with this?

[Daniel]

The IP is a UK IP address, though just because it says London, doesn't mean anything.

 

My IP says Telford, but I'm miles away.

[merlinpa1969]

it was a general location,

 

and IF they didnt actually get into your whmcs admin how did it log it.

 

weird you didnt notice they were there

you were logged in at 15:08 then logged in 15:10

 

it would have displayed

Other Admins Currently Online: admin hacker

[danami]

Did a lot of Google searching... looks like there could be a 0-day exploit in the wild (this sounds exactly like what happened to you - although it looks like this was posted some time ago):

 

Quote:

The 0day lets you edit/add/remove users from the admin table in the WHMCS mysql database

 

once inside the WHMCS as admin, you are free to view client's information ( CC's, Addresses, IP's, Website cPanels, etc... ) and another good part, Root access to the server if the passes aren't hashed in the server management of WHMCS ( they usually aren't )

 

Check out this post of a hacker trying to sell this exploit.:

 

http://209.85.173.132/search?q=cache:YX_hrqs9xDIJ:www.h4cky0u.org/viewtopic.php%3Ff%3D12%26t%3D24283+whmcs+exploit&hl=en&ct=clnk&cd=17&gl=ca&client=firefox-a

 

I would go through the access logs looking for a specially crafted URL ..

 

These guys are some really big assholes. Look at this post selling a compromised WHMCS hosting company:

 

http://209.85.173.132/search?q=cache:YAWT3cUG0u4J:h4cky0u.org/viewtopic.php%3Ff%3D43%26t%3D32689%26view%3Dprevious+whmcs+exploit&hl=en&ct=clnk&cd=27&gl=ca&client=firefox-a

Edited November 24, 2008 by danami

[apollo1]

Great detective work Danami, and very interesting. Keep us posted if you find anything else.

[RapidCityHosting]

400 clients for $50? Sign me up! /sarcasm

 

Its clearly they were selling a stolen company.

 

It sucks this happened, as somewhat recently my WHMCS was also hacked. All of my admin users were removed, and a unknown inserted.

 

I was so quick to fix the error, I didnt even copy down the address, or anything.

[pdpd]

You guys that got hacked - what version of WHMCS were/are you running?

[eUKhost]

TheHostHouse,

 

Were you running any old version of modernbill on same server ?

 

WHMCS can get hacked if you leave any vulnerable script accessible on same website.

[danami]

If you are worried about application exploits then I suggest you:

 

1. Install a web application firewall like mod_security.

2. Download the mod security 2.5 free rules from http://www.gotroot.com

 

That way exploits will get stopped before they even get to run your application.

 

From reading the post on webhostingtalk it looks like the hacker got in by:

 

Quote: "All I could tell was that he uploaded a file to his hosting account using the cPanel file manager."

 

Probably nothing to do with WHMCS.