akboselk Posted September 13, 2009 Share Posted September 13, 2009 Hi guys I have latest (4.2) whmcs installation and also use customized admin url. Also i do have few Admin account on WHMCS and all those used STRONG pass. The system works fine without any issue, but someone entered (illegal entry so it is HACKED attempt) into the system and modified few client records. I have open a support ticket to WHMCS and their reply as below --------------------------------- If it wasn't you or one of your staff then yes you have had an unauthorized access so should change all your passwords. With a customised URL it indicates the malicious user had access to your files to find it so probably a local file on another account like a shell script or something of that nature. --------------------------------- 1) How these guys find the customized admin url ? What is this shell script story ? 2) Anyone had this type of event with your whmcs ? and how to stop this type of attack ? ** Pl don't mention "check your pc for malware / spyware , check other script on the site for bugs, use strong pass", bc we have done all the security steps we can take. expecting your ideas for this and it will help for all those guys who use whmcs. 0 Quote Link to comment Share on other sites More sharing options...
fearmydesign Posted September 13, 2009 Share Posted September 13, 2009 I don't have an answer for you, but I would like to learn from this as this could happen to any of us using WHMCS. I don't know if you already have an SSL or if it even helps this kind of stuff, but I bought one so that I feel a little safer about the information flowing in & out of my site....at least that what I think the SSL is for...LOL Hope you can solve your issue. Regards 0 Quote Link to comment Share on other sites More sharing options...
akboselk Posted September 13, 2009 Author Share Posted September 13, 2009 thanks for the idea, but i don't think SSL will prevent unauthorized system access. But i am not an expert for these and hope someone (an expert) can explain it to us. 0 Quote Link to comment Share on other sites More sharing options...
bubbasheeko Posted September 13, 2009 Share Posted September 13, 2009 SSL would make it more secure. It prevents anything that is listening in on your connection from getting your passwords. 0 Quote Link to comment Share on other sites More sharing options...
akboselk Posted September 13, 2009 Author Share Posted September 13, 2009 ok, i can accept hope it will provide more secure life. Thanks all you guys. 0 Quote Link to comment Share on other sites More sharing options...
herpherp Posted September 13, 2009 Share Posted September 13, 2009 I would keep in mind that they do not need access to whmcs itself... If they have/had your DB password then they could utilize that to make client changes... Did you receive an email that there were failed attempts to login to admin area... Also if someone has your ftp password then obviously they could see the path to your custom admin path and password to database etc... 0 Quote Link to comment Share on other sites More sharing options...
Damo Posted September 13, 2009 Share Posted September 13, 2009 It may an idea to run a rootkit tool on your server/s. As mentioned in the reply from WHMCS as you're using a modified admin location (assuming it's not an easy guess) then they will most likely have access to your file system. This isn't a WHMCS security issue as they appear to have logged in with a valid username and password. This would be a server security matter. 0 Quote Link to comment Share on other sites More sharing options...
herpherp Posted September 13, 2009 Share Posted September 13, 2009 Ignore this post sorry... 0 Quote Link to comment Share on other sites More sharing options...
Parnian Posted September 13, 2009 Share Posted September 13, 2009 I think prolly you got a file from someone that had a keylogger and it had logged all urls and user & passwords... 0 Quote Link to comment Share on other sites More sharing options...
bear Posted September 13, 2009 Share Posted September 13, 2009 I don't know if you already have an SSL or if it even helps this kind of stuff It would only help with the transmission of data between the server and user, if the place you're connecting to is secured using it. 1) How these guys find the customized admin url ? What is this shell script story ? Is your WMCS on the same server as clients sites? It's possible they uploaded and used a PHP script that under less secured server environments can access file and server side program they shouldn't be allowed to, possibly even root access. Do a Google search for things like c99 shell for more info. It may an idea to run a rootkit tool on your server/s. If they had root access it's unlikely all they'd use it for was to change some accounts in WHMCS. 0 Quote Link to comment Share on other sites More sharing options...
akboselk Posted September 16, 2009 Author Share Posted September 16, 2009 "Is your WMCS on the same server as clients sites? " No, but on a shared server on Same Network. Yes, now i also think this is server side security issue, because i have another 2-3 whmcs and no such a problem 1) Ok, What about a VPS, will this type of solution provide better security for the WHMCS system rather than on Shared Server ? 2) Also WHMCS allow "API IP Access Restriction ..... Enter the IPs allowed to connect to the API, one per line on General config section. Can someone tell what is this ? and will this allow IP range ? 0 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.