Hacked Maybe?

[dreamwarexp]

This is really weird. I could not login. Requested lost password and it said that email address did not exist. I went into the SQL DB and senn that my email was changed to something crazy. I had to change it back in SQL to get it to email me a new password. I checked the logs and found that no one had been logged in since i did last. Also nothing else had been changed or messed with. Any ideas?

 

I am using version 3.7.2

 

I do nto use my password anywhere else plus it is not as simple pass either.

 

Thanks in advance for any input.

[Matt Wade]

"changed to something crazy"

 

what sort of something crazy? An email address that was crazy, random characters, or some crazy that was words, etc?

[dreamwarexp]

it was soemthing like junioryazee@yazee.com

 

I forgot to write it down before i changed it. I was so shocked to see that i just changed it before thinking.

[Matt Wade]

If it was an actual email address, then I think certainly you might be in trouble. If it was just some random set of characters it would have still been possible that you had some database corruption or something. But...with an actual email address someone had to put that in there. I'd take extreme measures and change every and any password on that system.

 

Have you looked at the activity and admin log?

 

If you see no evidence that some one logged into whmcs, then you've got someone that has access to your database.

 

If I were you I would also check your httpd logs and see if anyone has been accessing the whmcs/admin folder.

 

Is this your own server or a shared account?

[dreamwarexp]

I have this on a shared account so it stays seperate from the network where i have my servers. In the admin log there was no activity. And it was actually an email address. I looked at my logs and man are they hard to read. Any tips? It is like looking into a pair of swirll glasses. I might have seen a possible cause. In the SQL i had the access host set to wild card % and forgot to delete it. I was working on something while back and forgot to delete it. Do you think this might have been the cause?

[bear]

I have this on a shared account so it stays seperate from the network where i have my servers.

But it's on a shared server, meaning it's more vulnerable to this sort of thing than if you had it segregated with at least a VPS or better.

 

The wildcard access probably didn't help any, but without seeing the actual logs it would be just guessing here.

[Matt Wade]

Right the wilcard will allow people from any host to connect, but they still need a password (you have a password on the mysql account, right?).

 

Anyway, I would make sure you change every single password. I would also be prepared that someone may have retrieved all your customer information including credit cards. They are encrypted in the database, but if they had access to your database they could likely get the encryption key from your config file as well.

[dreamwarexp]

Hmmm ok thanks all of you for the reply. What should i look for in the log exactly? It all started running together after a while. Second, your right it is on a shared. I will be moving it to my on server very soon. This is not acceptable. I do have a pass on the sql for sure. As fas as i can tell they only changed the email and password. They did not change any other one or even any of the other admins. Very odd.

[RapidCityHosting]

This has also happened to me today.

 

This happened to me in the past as well, each time they didnt do anything.

 

The email was changed, to (cpanelcn@126.com), but didnt appear to do anything.

[Matt Wade]

"didnt appear to do anything". Let's see...they have access to your billing control panel and most likely your server. So, that means they have access to all your clients names, addresses, email addresses, and credit card numbers. You don't have any problem with that?

 

You also just admited here on a public forum that this has happened to you in the past! You are criminally negligent in allowing a hacker to obtain all your client details!

 

You probably think I am making a big deal out of nothing. Sorry, it is a big deal! If I was a client of yours and found out what you just posted I would be taking definite legal action.

[easyhosting]

The same thing happened to me, but the admin log showed a different IP address, when i checked this IP address it originated in Saudia Arabia when i am in the UK

[Matt Wade]

Sounds like you have a problem too easyhost. If any of you have had your billing software compromised then you have a moral and legal responsibility to notify your clients of a data breach. If you do not notify them you can be subject to severe legal action!

[easyhosting]

I have worked in consumer protection for several years and know my legal responsibilities. I immediately notified my clients of the breach and changed all my login details and my admin folder name, so that this could not happen again.

 

I also reported the IP to the datacenter that holds the IP

[Matt Wade]

Glad to hear you've upheld your obligations easyhost . Unfortunately there are too many businesses (especially Internet based businesses) that don't take data breaches seriously.

[easyhosting]

There are too many people that will purchase an ecommerce template and open an account with a dropshipper, upload to the internet and site back and think that is all they need to do.

 

I have lost count at how many you come across that are badly designed or when you go to checke their terms etc, they still have the "place your text here" still in place as they have not bothered or do not know hopw to change these files.