All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Probably another WHMCS-related security breach
This is an e-mail I just got from PCSmartHosting:
Hi
We are dissapointed to have to write this email but early this morning we learned that our billing system had been compromised. It appears a MySQL injection technique was used to modify the Gateway table in our database. This has resulted in one customer completing a Liberty Reserve payment (Which we've never offered our customers) to an account not assosiated with ourselves. Our standard payment methods of PayPal, Google Checkout and Debit/Credit remain secure.
We also have reason to believe that passwords on some user accounts may have been compromised through further MySQL injection techniques, and as a precaution we have currently disabled logins to our billing system. Upon restoring the billing system we will force a reset on all user passwords as a precaution.
This incident has been logged with WHMCS and from speaking to a few contacts in the industry we are not the only ones to become victim of this attack. The server hosting our billing area is heavily locked down from unauthorized access, access to our database was gained via a vulnerability in the billing software only.
Further updates will follow once we restore normal service, appologies for any inconvenience this has caused.
Kind Regards,
The PCSmart Team
Looks like another bad WHMCS module 
Comments
Also caught this email yesterday:
There is an active attack targeting WHMCS installations with that LibertyReserve module on the server (does not matter if enabled) that was known to be an issue but some providers dismissed it as "disabled so it's of no concern to me"
If you are a provider, please PM and I can disclose what I know.
For companies who have disclosed the incident to me, your info is safe with me and I will not release any sensitive information at all but will use the most vague information I can offer to be helpful without it coming back to you.
For full disclosure folks about to scream, go kick rocks. I'll publicly disclose what I know when the time is right.
From what i gather this has nothing to do with Liberty Reserve, there is an unrelated mysql injection problem with WHMCS (could have been for a long time, maybe some providers just didn't bother updating their installation). And some guy used this mysql injection to configure and enable LR gateway in WHMCS so people can be tricked to order from the provider and send money via LR to this guy.
The attacker is using multiple vulnerabilities then, because one confirmed victim was because of the LR module which allowed access and the other victim is not 100% sure yet
@bamn if an attacker is able to do mysql injection then he should be able to reconfigure any payment module and send the payments to his own account instead of the provider's account. In this case probably LR was chosen with the hope that nobody would notice and with the idea that LR payments are not disputable / reversible.
Hi
I don't give a damn about the OP. I'm here offering what I know about CURRENT, ONGOING ATTACKS. Feel free to debate all you want in typical LET derail fashion about hypotheticals.
I have just cleaned out the gateway folders, and moved everything that is not in use into a another folder.
I am curious about the LR module, any response from WHMCS?
Bamn, if you offer, please post it as long as its just information helping people out.
No injection code or something like that, only info to help providers check if they are in the clear or not.
If there is a sql injection it's plain simple to check access logs and see the url, I can't believe some providers aren't capable of catching a sql injection attack :S
I posted the terms of my offer and if folks do not like it, do not take me up on my kindness.
WHMCS has a vulnerability. What a surprise.
The first part is what happened to us (the Liberty Reserve part), but our client passwords were not compromised. I wonder what the hacker(s) did to get the passwords. Sucks that this is still going on but good to know it wasn't just us
What's new... lol
Got one from PCSmart as well.
Shocking, isn't it?
WHMCS having a security issue for the first time!!!11oneoneleven.
Ok, seems it was not something new
http://www.webhostingtalk.com/showpost.php?p=8480043&postcount=10
No it's not. I've seen this happen on several v5.1.3 installs
Not yet. A couple of clients have submitted tickets to us saying the SolusVM WHMCS module had stopped working. When we investigated we found the LR gateway had been added.
I do suggest you enable Query Logging in MySQL though. It will help detect how it was done if it happens to you.
Sooo, clearly a LR Module is being uploaded? Couldn't you just restrict such items from being uploaded through whatever exploit there is? As a temporary measure.
It's intriguing that nobody has developed a fix yet; is this the same thing that happened to @CVPS_Chris then?
It is not being uploaded but getting activated . And it is not whmcs fault. They did patch it. Now if you are running old unpatched version, that's another thread.
Best practice is to remove any unused modules/gateways/addons/hooks. They can't exploit what's not there.
This, the narrower the window of opportunity the better
WHMCS needs to include code in all their modules to not function unless called from registered sources.
WHMCS doesn't code all of the modules. Some modules are provided by the service developers (I can't remember the last gateway exploit but it was from code not written by WHMCS).
WHMCS should be auditing the modules themselves before adding them to the App Store though surely?