Anyone been having this in tickets lately?

PhilND

Had multiple tickets with this... anyone else had/seen this before? Is their a WHMCS exploit going around?

http://pastebin.ca/2144691

Francisco

header('Location: tubgirl.com');
exit();

Francisco

NanoG6

http://www.base64decode.org/

Asad

I had a few of these at my installation a few weeks back, just add a spam control filter to block them.

The exploit doesn't work if your WHMCS is up to date.

yomero

So if my ticket says {php} will get blocked lol

Asad

@yomero said: So if my ticket says {php} will get blocked lol

Why would a client ever email you with "{php}evaL(base64_decode..."? Chances are it's going to be spam.

yomero

@AsadHaider said: Why would a client ever email you with "{php}evaL(base64_decode..."? Chances are it's going to be spam.

Yes I know, just is funny :P

debug

@NanoG6 said: http://www.base64decode.org/

If you actually read more of the paste, you would of seen that the OP already did that.

NanoG6

@debug said: If you actually read more of the paste, you would of seen that the OP already did that.

oh yaa sorry

Victor

Yea, we had one of those a couple weeks back.

Aldryic

I have a hook in place that compares the IP that submitted the attempted exploit against recent client login records. It's always amusing to hear the stories of "I wasn't trying to do anything bad" :P

cosmicgate

there are talks on 0day exploit that gives you free vps on xen without paying. Affects all xen system.

quirkyquark

@cosmicgate said: there are talks on 0day exploit that gives you free vps on xen

via WHMCS?

Spencer

@cosmicgate said: there are talks on 0day exploit that gives you free vps on xen without paying. Affects all xen system.

Ehhhh seems suspicious. Because I doubt this new fantastic 0day will work with solus, HyperVM, VirtPanel, Virtuozzo etc. Just no way one 0day will work with all the modules.

cosmicgate

It should be from whmcs. these guys are selling the exploit at 500 dollars.

vedran

@cosmicgate said: It should be from whmcs. these guys are selling the exploit at 500 dollars.

So basically you get free VPS for $500?

Asad

@vedran said: So basically you get free VPS for $500?

Haha yeah I don't see the point really why you'd want to pay so much.

Spencer

The free VPS thing is not real.

ElliotJ

@AsadHaider said: Haha yeah I don't see the point really why you'd want to pay so much.

500 / Number of Xen VPS hosts, let's say, 1000.
1000 * 1000 emails/minute for... a couple hours, before it's noticed

0.00001% buy the crap advertised at $10 -> 1200 * 10 = $12000 every two hours.

Multiply that a few days.
???
Profit!

$500 for all of that, not bad.

vedran

I see how that can be (ab)used if there is such exploit, I was just pointing that 500/n !=0, even if n->∞

Asad

@ElliotJ said: $500 for all of that, not bad.

Didn't consider spamming :P never come across that problem

People who buy that crap shouldn't be allowed on the internet.

gsrdgrdghd

@vedran said: 500/n !=0, even if n->∞

Well but lim n->∞ (500/n) = 0 ;-)

Also if you find the bug & write the exploit yourself you won't have to pay the 500$ :P

CINIPAC

We are receiving about 1 or 2 tickets a week with this content.

It's an exploit for a vulnerability in WHMCS which was fixed during an WHMCS update in December 2011. If you're running an up-to-date version of WHMCS, you simply can delete this tickets.

PhilND

@Dotvps, your hook fixed it!

@Everyone else, it was just a bit annoying.. over 100 tickets with this in. eh.

Francisco

@PhilND said: @Everyone else, it was just a bit annoying.. over 100 tickets with this in. eh.

jeez =\