Jump to content

I get hacked

josepi

By josepi
in Using WHMCS

 Share

Recommended Posts

josepi Junior Member

josepi

Posted
Posted (edited)

Well , I bought whmcs a month ago , I Install all correctly to the server .

and yesterday I was getting failed loggins emails , I changed the password to a hard one.

 

and Today my complete VPS gets hacked and without Information , all this via whmcs.

 

 

Why can someone do this?

Edited by josepi
Link to comment
Share on other sites
Matt Wade Senior Member

Matt Wade

Posted
Posted

What proof do you have that someone hacked your VPS via whmcs? From your post you say that you got failed login attempts. To me that sounds like some one trying to gain access any way they could. What did your other log files show? What about your brute force detection software? Just because someone attempted to gain access to your whmcs installation does not mean that is how they hacked your VPS.

 

If there is an exploitable hole in whmcs, I certainly want to know about it. But, don't start blaming whmcs for your VPS getting hacked unless you have actual proof. Have proof? Post it.

Link to comment
Share on other sites
Matt Wade Senior Member

Matt Wade

Posted
Posted

No, you don't know it was via whmcs. You are speculating. What version of whmcs were you running? What operating system were you running? Do you have the latest operating system patches and patches for system software? Sorry, cPanel/WHM doesn't do everything for you. You also know that cPanel/WHM isn't perfect? Just because you are running the latest version of it doesn't mean that something in it wasn't what was used to get in. It could have been a breach of your hosting provider and they got your login details that way. There are a hundred ways they could have gotten in. Without proof that it was whmcs you are making baseless claims.

Link to comment
Share on other sites
Roger Senior Member

Roger

Posted
Posted
I know it was via whmcs because I all my site was made of html , and I have Las t updates for Cpanel/WHM and =(, I Today there is all blank , no logs .

I would think if they 0'd out your logs then they had root permissions or full write permissions (folders 777 anywhere?). Your site could have just as easily been compromised from the root account or being a VPS perhaps the master server was compromised somehow.

 

Just because you have an HTML only site does not mean your server is safe at all. You still have to be very proactive with security measures.

Link to comment
Share on other sites
josepi Junior Member

josepi

Posted
  • Author
Posted

Here is the last part of my logs

 

190.48.227.191 - - [21/Jan/2009:12:54:03 +0000] "GET /webmail HTTP/1.1" 200 5030 "http://localhost/whmcs/clientarea.php?action=productdetails" "Mozilla/5.0 (Windows; U; Windows NT 5.1; es-AR; rv:1.9.1b2) Gecko/20081201 Firefox/3.1b2"

190.48.227.191 - - [21/Jan/2009:12:47:08 +0000] "GET /whmcs/ HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; es-AR; rv:1.9.1b2) Gecko/20081201 Firefox/3.1b2"

Link to comment
Share on other sites
VicToMeyeZR Senior Member

VicToMeyeZR

Posted
Posted

wow.. you need some basic training in internet security, and the internet in general. This thread should be closed. Your VPS was NOT hacked because of whmcs. Thats like saying your house was broken into because of your mailbox. It doesn' make any sense. Unless you had your root VPS information stored in your admin section of WHMCS, and you let someone figure it out by not taking steps to protect yourself. Your fault bro, not theirs.

Link to comment
Share on other sites
sparky Senior Member

sparky

Posted
Posted
Here is the last part of my logs

 

190.48.227.191 - - [21/Jan/2009:12:54:03 +0000] "GET /webmail HTTP/1.1" 200 5030 "h ttp://localhost/whmcs/clientarea.php?action=productdetails" "Mozilla/5.0 (Windows; U; Windows NT 5.1; es-AR; rv:1.9.1b2) Gecko/20081201 Firefox/3.1b2"

190.48.227.191 - - [21/Jan/2009:12:47:08 +0000] "GET /whmcs/ HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; es-AR; rv:1.9.1b2) Gecko/20081201 Firefox/3.1b2"

Note the highlighted parts above

IP address: 190.48.227.191

Host name: 190-48-227-191.speedy.com.ar

190.48.227.191 is from Argentina(AR) in region South and Central America

TraceRoute to 190.48.227.191 [190-48-227-191.speedy.com.ar]

Hop(ms)(ms)(ms)

IP AddressHost name1201414

72.249.0.65 -212206

206.123.64.22 -38676

216.52.189.9border4.te4-4.colo4dallas-4.ext1.dal.pnap.net41586

216.52.191.97core2.tge5-2-bbnet2.ext1.dal.pnap.net561417

157.238.224.33xe-8-4.r03.dllstx09.us.bb.gin.ntt.net61286

129.250.2.94po-1.r03.dllstx09.us.bb.gin.ntt.net7766

213.140.55.25xe0-2-0-0-grtdaleq1.red.telefonica-wholesale.net8444541

84.16.15.138xe11-1-0-0-grtmiabr5.red.telefonica-wholesale.net9403939

84.16.14.6xe10-0-0-0-grtmiabr6.red.telefonica-wholesale.net10103104106

84.16.15.89xe4-1-0-0-grtlurem4.red.telefonica-wholesale.net11178178179

213.140.49.13xe4-1-0-0-grtbueba2.red.telefonica-wholesale.net12180190174

84.16.10.142tdargentina-4-0-0-0-grtbueba2.red.telefonica-wholesale.net.10.16.84.in-addr.arpa13Timed outTimed outTimed out

 

-14Timed outTimed outTimed out

 

-15Timed outTimed outTimed out

 

-16Timed outTimed outTimed out

 

-Trace aborted.

whois query for speedy.com.ar...

Query error: No whois server known for the given domain

Retrieving DNS records for 190-48-227-191.speedy.com.ar...

Attempt to get a DNS server for 190-48-227-191.speedy.com.ar failed: 190-48-227-191.speedy.com.ar does not exist in the DNS

So you have your home computer connected to the internet via dialup/adsl

Maybe you should get a real server!!

Link to comment
Share on other sites
yamaharr1 Senior Member

yamaharr1

Posted
Posted
and how about firewall and other security means: mod_security, suPHP or phpsuexec, BFD, have you disabled ssh password authentication? chkroot or rkhunter installed? have you followed any security measures from the whmcs wiki?

 

That's what I was going to say it sounds like a firewall with brute force blockage.

 

If it is a VPS then it might have a firewall and after X amount of failed log in attempts it blocks the person to a white page. If you have the server through a company and not a home system contact the company with your IP and ask them to remove it from the blocked IP's that will bring the site back up.

 

If you have it on a home computer then you need to understand what you are doing and know now that you are doing it wrong.

Link to comment
Share on other sites
bear Senior Member

bear

Posted
Posted

He could simply be busy recovering from this incident.

Since it doesn't appear to have been WHMCS related, and he hasn't returned to discuss it in a few days, let's close it for now.

josepi, if you'd like to add to this, just let us know and we'll reopen it for you.

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated

  I accept