Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


WHMCS Hacked - Page 18
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

WHMCS Hacked

1151618202124

Comments

  • HarrySXHarrySX Member

    @jarland said: @HarrySX My understanding of the takedown notice table is that it could also apply to providers who are hosting clients who may have used a nulled whmcs. I could be wrong about that. I don't think being listed there is a specific indication of direct guilt. As for the blacklisted domains, who knows.

    >

    I don't know but wanted to make it clear anyway. ^_^

  • raindog308raindog308 Administrator, Veteran

    @Aldryic said: That 'upgrade script' password dialogue looked like a very blatant phishing attempt to me.

    I assumed it was "we haven't got our forum under control yet so we threw up an .htaccess until we figure out how we were hacked".

  • AldryicAldryic Member

    @raindog308 said: I assumed it was "we haven't got our forum under control yet so we threw up an .htaccess until we figure out how we were hacked".

    I pondered on that, but considering the domain itself is still forwarding to ugnazi (for me at least) I figured it was another shady ploy.

  • raindog308raindog308 Administrator, Veteran
    edited May 2012

    I thought they had whmcs.com back. It looks normal to me, though of course it could be a rip.

    However, if memory serves, "websitewelcome.com" is one of Hostgator's operations.

    root@sulfur# nslookup www.whmcs.com
    Server:         4.2.2.4
    Address:        4.2.2.4#53
    
    Non-authoritative answer:
    www.whmcs.com   canonical name = whmcs.com.
    Name:   whmcs.com
    Address: 50.116.115.104
    
    root@sulfur# nslookup 50.116.115.104
    Server:         4.2.2.4
    Address:        4.2.2.4#53
    
    Non-authoritative answer:
    104.115.116.50.in-addr.arpa     name = whmcs.websitewelcome.com.
    
    Authoritative answers can be found from:
    
    root@sulfur#
    
  • AldryicAldryic Member

    Hmm, guess I need to flush then :P

  • @raindog308 They moved from HostGator to HostGator, they do know a lot about security.

  • raindog308raindog308 Administrator, Veteran

    @Daniel said: @raindog308 They moved from HostGator to HostGator, they do know a lot about security.

    I don't think HG really did anything wrong in this instance. The attacker apparently had Matt's email/pass plus other personal info.

  • @raindog308 said: I don't think HG really did anything wrong in this instance. The attacker apparently had Matt's email/pass plus other personal info.

    Nah, Matt said they gained access to his email after they had got into his HG account, so its HG's fault.

  • jarjar Patron Provider, Top Host, Veteran

    I thought he said the other way around? Either way, there's enough blame to go around on this one. After getting into the server and showing us all how well secured it was, and constantly putting the same stupid backups up, there's enough blame to put on Matt either way.

  • @jarland said: I thought he said the other way around? Either way, there's enough blame to go around on this one. After getting into the server and showing us all how well secured it was, and constantly putting the same stupid backups up, there's enough blame to put on Matt either way.

    From WHMCS Blog "Further investigations have shown that the social engineering attack did not involve the compromising of any email account. This was only done after access to the server had been gained."

  • jarjar Patron Provider, Top Host, Veteran

    I'd love to hear HG's side of it in that case.

  • MrAndroidMrAndroid Member
    edited May 2012

    @jarland said: I'd love to hear HG's side of it in that case.

    I've been able to reconstruct the live help conversation.

    HostGator Ajesh: Hi Welcome to HostGator, how may I help you today?
    
    EP1C H4CK3R: Hi its Epic Hacker, oops sorry Matt from WHMCS, I've forgot my password to my server and need it.
    
    HostGator Ajesh: What is your birthday?
    
    EP1C H4CK3R:  Hold on, let me check Matts FaceBook, oh I mean my FaceBook
    
    HostGator Ajesh: Sure.
    
    EP1C H4CK3R: Its DD/MM/YYYY.
    
    HostGator Ajesh: Ok, your password is smellycrocodiles
    
    EP1C H4CK3R: Thank You
    
    
  • Hello,

    I recently downloaded the leaked database to check wether the hosts I currently use are "compromised". Because whmcs.ugnazi.com is not online anymore, I downloaded the files from a quite strange mirror, but I can't verify it's thrustworthy.

    It contains only 3 SQL dumps with about 800MB in total. The cPanel files are not included. Is anyone who downloaded the original files able to verify the MD5 sums of the following files?

    whmcscom_survey.sql - MD5: 659f3a3f6dc21e571142587a85f29827
    whmcscom_sitecms.sql - MD5: fbca51d9680af1b7d3b3c7e2d98417f3
    whmcscom_clients.sql - MD5: d0eda63a9eea61ce732639f894de5d87

    Thanks in advance!
    HerrMaulwurf

  • MD5 (whmcscom_clients.sql) = d0eda63a9eea61ce732639f894de5d87

    Thanked by 1HerrMaulwurf
  • SpencerSpencer Member

    Anybody have any pictures of the hack today so I can update http://www.haswhmcsbeenhackedtoday.com/

  • @Daniel said: HostGator clearly do not give a damn about their big customer's security, and after a few questions just hand the account over.
    WHMCS is at fault for using HostGator in the first place when they can clearly afford a dedicated server and clearly have the minimal skills to manage it.

    HG cares about everyone's security the same. Most of the techs wouldn't know if a company's big or small (other than ones they're familiar with).

    They were using a dedicated server (from HG). Or at least a VPS.

  • DimeCadmiumDimeCadmium Member
    edited May 2012

    @Daniel said: On a GPU MD5 Bruter, probably take around 20 minutes to crack.

    Do they even salt it? If not, rainbow table time...

    Also, websitewelcome = HostGator "reseller plan" servers.

  • MrAndroidMrAndroid Member
    edited May 2012

    @DimeCadmium said: Do they even salt it? If not, rainbow table time...

    I don't think they were.

    Even if they were, the configuration files have been leaked so got the salt.

  • @PytoHost said: Anybody have any pictures of the hack today so I can update http://www.haswhmcsbeenhackedtoday.com/

    http://i.imgur.com/0LRQL.jpg

  • @DimeCadmium said: Do they even salt it? If not, rainbow table time...

    Admins hashes were md5'd without salt, took 2 hours to crack 3/20. User passwords are salted.

  • Yeah, but if they're unsalted you don't even have to generate a table, just use one that's out there. If they're salted you have to make a new table for that salt, which isn't a problem, just an inconvenience.

  • SpencerSpencer Member

    Thanks for that. It is now updated woot woot

  • @DimeCadmium said: Yeah, but if they're unsalted you don't even have to generate a table, just use one that's out there. If they're salted you have to make a new table for that salt, which isn't a problem, just an inconvenience.

    Actually GPU cracking has made rainbow tables more or less superfluous. Even with my fairly old Nvidia GTS 250 it takes only 2 hours to go through the entire loweralpha-numeric 1-8 keyspace (md5)

  • subigosubigo Member

    I like how WHT closed the WHMCS thread and told people to just read the WHMCS blog for updates... which has been hacked twice today already.

    Thanked by 1Infinity
  • AsimAsim Member

    @subigo said: which has been hacked twice today already.

    WHMCS hacked today twice? Wow

  • rds100rds100 Member

    This isn't even funny any more. I think Whmcs should just move their blog to wordpress.com and let someone else take care about securing and maintaining it.

    Thanked by 2Asim lbft
  • jarjar Patron Provider, Top Host, Veteran

    @rds100 They'd probably use the same password.

    Thanked by 3Jeffrey maxexcloo lbft
  • Hopefully a security update for WHMCS will appear soon, $6,000 will buy you a new 0day exploit.

    http://krebsonsecurity.com/2012/05/whmcs-breach-may-be-only-tip-of-the-trouble/

    Thanked by 1lbft
  • @onepound said: Hopefully a security update for WHMCS will appear soon, $6,000 will buy you a new 0day exploit.

    Sounds like a good investment for a criminal - buy that exploit, write some script, own 100k WHMCS installations.

  • @onepound - This 0day old. Saudi hacker use sql 0day for months. There one for Solusvm for no money vps, delete vps, suspend vps

Sign In or Register to comment.