Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


whmcs hacked
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

whmcs hacked

ziditzidit Member

My whmcs 5.2.9 got hacked. Hacker seems to get access into admin panel. I have no idea why they can place suspicious file in /downloads folder (Is it can be uploaded inside admin panel?) After file was placed, it called and configuration.php was read for database creditial and hacker can change admin password and do anything with whmcs database. I need to know this for prevent it to occur again.

The main thing that I have no clue is how they can place file into downloads folder.

Already update to 5.3.6

Comments

  • BellaBella Member
    edited April 2014

    Always update your WHMCS to the latest version as soon as it comes out.

    If they placed a file in the downloads folder and executed it, that would mean that your downloads folder was in your public_html folder.

    And yes if they had access to your admin account they could have uploaded a shell or something.

    You should always move the downloads/attachment/templates_c folder outside of the public_html directory.

    Follow all the steps here. http://docs.whmcs.com/Further_Security_Steps

    I also recommend deleting all your files and uploading a fresh copy of whmcs to make sure there are no hidden shells or anything hiding.

  • RuchirablogRuchirablog Member
    edited April 2014

    My whmcs 5.2.9 got hacked

    ok

    Thanked by 3trexos rsk Sander
  • ziditzidit Member

    @imtiax said:
    Always update your WHMCS to the latest version as soon as it comes out.

    If they placed a file in the downloads folder and executed it, that would mean that your downloads folder was in your public_html folder.

    And yes if they had access to your admin account they could have uploaded a shell or something.

    You should always move the downloads/attachment/templates_c folder outside of the public_html directory.

    Follow all the steps here. http://docs.whmcs.com/Further_Security_Steps

    I also recommend deleting all your files and uploading a fresh copy of whmcs to make sure there are no hidden shells or anything hiding.

    As from my understanding, move downloads/attachment/templates_c folder outside of the public_html directory. So once it placed script, then they cannot called it from website?

  • BellaBella Member

    If you move your downloads/attachments/templates_c folder then no one will be able to execute the files.

    The most common way for people to upload a shell to your site would be by uploading it as an attachment.

    So when you move the attachment folder outside of the public folder, it can no longer be accessed by anyone directly.

  • is it possible to disable execution of anything under that folder in the webserver config?

  • @Ruchirablog said:
    ok

    ok

  • ziditzidit Member

    @imtiax said:
    If you move your downloads/attachments/templates_c folder then no one will be able to execute the files.

    The most common way for people to upload a shell to your site would be by uploading it as an attachment.

    So when you move the attachment folder outside of the public folder, it can no longer be accessed by anyone directly.

    Thank you for really worth suggestion.

  • Do you use Cpanel/DirectAdmin or Zpanel/Kloxo?

  • ziditzidit Member

    Another question, Is anyway to force all client reset their password?

  • ziditzidit Member

    @ErawanArifNugroho said:
    Do you use Cpanel/DirectAdmin or Zpanel/Kloxo?

    It's cPanel

    Thanked by 1ErawanArifNugroho
  • It's nothing new that WHMCS is getting hacked. I wonder why hosters are still using this...

  • cassacassa Member

    @IceCream said:
    It's nothing new that WHMCS is getting hacked. I wonder why hosters are still using this...

    Because it's the only thing that "works"

  • Define "works". Getting hacked every day/hour/minute does not mean it works.

  • WHMCS 5.2.9 is very old and it is no wonder it got hacked. Actually it is kind of surprising that it didn't get hacked earlier.

    You should upgrade to 5.3.6

  • IntroNetIntroNet Member
    edited April 2014

    I think they have used SQL Injection to get it! Your WHMCS might be vulnerable! And after getting in they have uploaded a SHELL to access all hosted websites at that server.

  • nunimnunim Member
    edited April 2014

    I always recommend people run Mod_Security alongside WHMCS, it might not stop a zero day but it sure won't hurt. It likely would've stopped them from uploading a PHP shell in this case, provided you had upload scanning enabled.

  • rds100 said: You should upgrade to 5.3.6

    zidit said: Already update to 5.3.6


    zidit said: The main thing that I have no clue is how they can place file into downloads folder.

    Ask WHMCS.

  • FlorisFloris Member
    edited April 2014

    @GIANT_CRAB said:
    Ask WHMCS.


    My whmcs 5.2.9 got hacked

    Basicly says it all. This was an old insecure WHMCS version.

  • GIANT_CRABGIANT_CRAB Member
    edited April 2014

    Floris said: Basicly says it all. This was an old insecure WHMCS version.

    Yes, but what he probably really wanted to know was why does WHMCS suck so much. (inb4 WHMCS used to be a hobby project by Matt)

  • smansman Member

    Password protecting the admin folder is easy to set up and use. Your browser can cache the log in so it's a really good security enhancement imho.
    http://docs.whmcs.com/Further_Security_Steps

  • BellaBella Member

    @nunim said:
    I always recommend people run Mod_Security alongside WHMCS, it might not stop a zero day but it sure won't hurt. It likely would've stopped them from uploading a PHP shell in this case, provided you had upload scanning enabled.

    Could you link me to a guide to do that?

  • smansman Member
    edited April 2014

    I would not recommend mod_security for WHMCS. It caused us more problems than it prevented. If you do use it expect lots and lots and lots and lots of tweaking to get it just right and even then expect to have to do more tweaking.

    With WHMCS, right off the bat you will probably find that your ticketing system won't work anymore so you have to create special exclusions or rules for that. We had to create a bunch of special rules for all sorts of things that came up.

    It is also a PiTA to troubleshoot because it does not always block. Depends on how you have it configured and the content of the message it is blocking, how long the message is etc.

    When it does block the web page errors are very generic so you have to always check the mod_sec logs to see whether it did it. The mod_sec logs are very chatty even when turned way down so not always the easiest thing scanning them.

    Anything that complicates things that much is not a good security solution imho. There are lots of ways around it so it's not even that great of a hammer. More of a specialized solution for very targeted things. So if you want to go to all the trouble to implement it in order to target one very specific thing and turn off all the generic filtering it could be of some use imho.

    If you do implement I would recommend setting it up in monitor only mode for quite awhile. Watch the logs very carefully to see what it is flagging.

    We spent countless hours messing around with it over the course of a year trying to prevent false positives. Cranked up the limits etc. Finally set it to just monitor and eventually we just disabled it. We did learn something though. To ignore any suggestions of using mod_security on WHMCS.

Sign In or Register to comment.