New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
WHMCS customer name change, maybe xploit?
Hello guys, today i receive an email from my WHMCS
Client ID: XX - Mark Johnson has requested to change his/her details as indicated below:
First Name: 'Mark' to 'AES_ENCRYPT(1,1), firstname=(SELECT GROUP_CONCAT(id,0x3a,username,0x3a,email,.........more....) FROM tbladmins)'
Email Address: '[email protected]' to '[email protected]'
Default Payment Method: '' to ''
If you are unhappy with any of the changes, you need to login and revert them - this is the only record of the old details.
anyone have received something like this, nothing happen i guess.
Comments
You must be a couple weeks late
http://localhost.re/p/whmcs-527-vulnerability
They're trying to exploit an old vulnerability. Just make sure you're using the latest version. Nothing new.
im on Version: 5.2.12 since was available.
so just wanted to know. thanks
This is a exploit just update whmcs latest patch and get safe your whmcs for some day
Share the IP so we can all ban it.
Just disable changing profile field for next 30 days to 1 year.
I also got the same notification
@DewlanceVPS couldn't they just add another "sub account" or whatever they call it and perform what they do, there?
IP Address: 205.204.88.93
At least you will get a relief from "name change notification"
I can confirm that the same user ('Mark Johnson') just attempted to infiltrate ours using similar methods roughly 2 hours ago.
Just had this too, IP address 205.204.88.93
You want to be on version 5.2.13 as of today @dedicados
Hello,
We are using WHMCS Version: 5.3.9 still we have received Exploit Attempt alert.
First Name: 'Aganteng' to 'Andri'
Last Name: 'Rooterz' to 'Cyber4rt'
Address 1: 'dm' to 'AES_ENCRYPT(1,1), address1= (SELECT MIN(username) FROM tbladmins)'
Address 2: 'dm' to 'AES_ENCRYPT(1,1), address2= (SELECT MIN(password) FROM tbladmins)'
Postcode: '404404' to 'dm'
Default Payment Method: '' to ''
If you are unhappy with any of the changes, you need to login and revert them - this is the only record of the old details.
Any fix for this?
Regards,
Patrick
You can stop this by happening. But as your on the latest ver of WHMCS it was patched a little while ago? Report the users ip and ban.
The fact that your WHMCS was not successfully hacked means there is nothing to fix, the guy is simply trying to see who's got an older (vulnerable to this hack) version of whmcs, just make sure you're running the latest version.
Why banning IPs? A lot of ISPs are using shared/dynamic IP addresses, banning one might blocks another potential customer access.
Hello.
Thanks MSPNick, DalComp, ndelaespada.
As per WHMCS support " This user is attempting to perform a old vulnerability from version 5.2.8, which would not effect you if you are utilizing the latest version of WHMCS. You would have nothing to worry about in this circumstance as their attempts would not be successful."
Regards,
Patrickr.
Disable changing of name,email etc by customers themselves
Hello ftpit,
Thank you for the suggestion, Shall I use "Locked Client Profile Fields" from the General Settings >> other section to disable changing of name, email.. etc. by customers
Regards,
Patrickr
Yes, lock the profile fields after signup.
Thank you Radi