I was just wondering, we are using whmcs for client billing and its a great thing, but im really concerned and want anyone out there to respond to this post, we always get someone logging into the admin area and changing the admin password...(potentially a hack), i always have to go and change the pasword and email via mysql and i use everything - symbols, numbers, caps etc .. i also discovered a script on the server and it was found under a clients whmcs....the file was called images/readme.php..deleted the file, and changed the passwords to that account
How secure/vulnerable is whmcs..? - thanks

for us whmcs is perfect , never had any issues...

try to get some strong server security

Don't keep WHMCS and the clients on the same server, it's asking for trouble. Have you through about setting up a VPS for your site on your dedicated, or purchase a VPS at a different provider?

Ahhhh, sounds to me like your basic server-level security is lacking ... and/or that your script is unpatched.

Either way if you believe that WHMCS has a security hole, you need to contact WHMCS immediately. These things are NOT properly reported & addressed through a public forum.

Seriously though, it sounds to me like you have other exploit/security issues on the server, and they're able to slip in to WHMCS that way. Do a thorough security audit and close up the holes.

:D Bailey

Indeed, it sounds like a server level security issue. You might want to consider some server hardening to prevent this sort of thing.

You might also want to think about sending WHMCS a ticket to see what they have to say.

Regards,
Mike

This is interesting! Mainly also we have had a couple of people being able to load scripts on the server which have sent out spam, i have had to suspend these accounts to prevent any further emails from coming out. Im just wondering WHAT level of security the server has to be set to. I mean where do you go,...kind of tried everything!

I mean where do you go,...kind of tried everything!

Obviously you haven't. Hire a competent server admin. Clearly what you're doing and who you're using now, isn't getting the job done. ;)

:D Bailey

Again, as a lot have already said, it more than likely is not WHMCS. Your server needs to be a bit more secured and I would also suggest separating your clients from WHMCS by putting WHMCS on separated dedicted or VPS. Also, the directory where the corrupted file keeps getting uploaded to, you might want to check the permission level of that directory and see if it is CHMOD to 777. If it is, I would change it to 755 or something that you able to and still keep the intruder blocked from re-uploading. Hope this helps.

Obviously you haven't. Hire a competent server admin. Clearly what you're doing and who you're using now, isn't getting the job done. ;)

:D Bailey
Thanks Bailey, currently using PSM - now im looking at someone who can provide a security audit..(looking at reputations of certain companies here on WHT)..
Oh boy! Phewks!

we always get someone logging into the admin area and changing the admin password...(potentially a hack)

It sounds like you're running a 'hacked' version of WHMCS. Do a complete install, from legitimate WHMCS sources (download only from whmcs.com). A legitimate version of WHMCS won't allow that.


i also discovered a script on the server and it was found under a clients whmcs

Most likely this is how the user got access to the server itself. Make sure that all versions of WHMCS on yoru server are up to date.


How secure/vulnerable is whmcs..? - thanks

WHMCS has had it's security issues, but if you download files from legitimate (not 'nulled', or 'hacked' sources), you should be fine


How secure/vulnerable is whmcs..?

WHMCS is secure enough, though it could stand to be a good deal more secure. If security issues are brought up, they are addressed in a quick and timely fashion by Matt, providing that they're WHMCS related and NOT server related.

I'd suggest going through the server and having someone perform a massive security audit to ensure that the server is up to date. If you're using an old(er) OS, then you need to update that.

well i did have this issue too with whmcs i had the latest version i think 3.5 . i don't have a server i have a reseller account the company that provide me the reseller account is a very well known company so i don't think it is a security issue because they told me they searched all the server didn't find any issue. the solution for this problem is to secure all the directory of admin area with a password

Thanks Bailey, currently using PSM - now im looking at someone who can provide a security audit..(looking at reputations of certain companies here on WHT)..
Oh boy! Phewks!

See, this is why I am not a big fan of PSM ... people seem to think that PSM is full-fledged server administration, and they're not ... you still need someone actually administering and managing the box.

The things they do are a fine starting point, but they are reactive (so they only do the work when you request it) and they don't do a good job on more detailed, truly investigative issues. I should also mention that everything PSM does, you can do for free, and there are actually better tools/solutions out there than what PSM installs.

While you're shopping around for the security audit, perhaps also keep your eyes open for someone who can truly manage your server. ;)

:D Bailey

See, this is why I am not a big fan of PSM ... people seem to think that PSM is full-fledged server administration, and they're not ... you still need someone actually administering and managing the box.

The things they do are a fine starting point, but they are reactive (so they only do the work when you request it) and they don't do a good job on more detailed, truly investigative issues. I should also mention that everything PSM does, you can do for free, and there are actually better tools/solutions out there than what PSM installs.

While you're shopping around for the security audit, perhaps also keep your eyes open for someone who can truly manage your server. ;)

:D Bailey

I completely agree, and had the same experiences with PSM when I used them a couple years ago.

This thread is not about us so please keep us out of it. The OP has not expressed any level dissatisfaction with us at all in any way. If the OP is not satisfied, then he should say so, but he isn't. To the contrary, he has praised us several times here on wht in the past.

Furthermore, the OP has not even requested security hardening for this issue. All he did was open a ticket regarding a notice from csf that he got and asked us what it was.

We are more than capable and willing to do the security hardening he needs to solve this as we do all the time for anyone that requests it. All he has to do is simply open a ticket asking us.

I was just wondering, we are using whmcs for client billing and its a great thing, but im really concerned and want anyone out there to respond to this post, we always get someone logging into the admin area and changing the admin password...(potentially a hack), i always have to go and change the pasword and email via mysql and i use everything - symbols, numbers, caps etc .. i also discovered a script on the server and it was found under a clients whmcs....the file was called images/readme.php..deleted the file, and changed the passwords to that account
How secure/vulnerable is whmcs..? - thanks

Where did you purchase your WHMCS license from? Was it from WHMCS.com directly, a reseller or some forum where you downloaded a possible infected nulled version?

This thread is not about us so please keep us out of it.

Then why are you here? :rolleyes:

We are more than capable ... to do the security hardening he needs to solve this

With all due respect, my repeated first-hand experience and observations show that this is not the case. Sorry Ethan.

:D Bailey

Then why are you here? :rolleyes:

I was directly responding to the comments about us, and nothing else.

With all due respect, my repeated first-hand experience and observations show that this is not the case. Sorry Ethan.

:D Bailey
I know your feelings as you have expressed them numerous times, and I have asked you each and every time who you are to see what happened and you refused each and every time to give us any information at all. There are tons of posts all over wht from our satisfied customers, so I am very surprised to hear your experience was different, and that is why I am so interested in finding out what happened.

I have asked you each and every time who you are to see what happened and you refused each and every time to give us any information at all.

And I have responded numerous times that I cannot and will not compromise my clients' privacy. Citing specifics would break our Privacy Policy, and I'm not going to do that to my customers. Your continued requests for me to do so are completely out of line. I'm not throwing my clients under the bus, so forget it. Stop asking. :rolleyes:

Truly Ethan, if you can't find the problems yourself, in your tickets (and you should be able to, after all, it's pretty obvious when a ticket sits 24 hrs. + with no answer) that's a shortcoming with PSM, not with the customers ... it's not my job nor my responsibility to point out things that are already sitting fully documented in your helpdesk. It's not my fault if you're not aware of what's going on. That's something you've got to sort out, whatever the cause is (technical limitations, lack of review, ???).

Stop spinning your wheels on me, I'm not the problem. I'm merely the messenger.

:D Bailey

And I have responded numerous times that I cannot and will not compromise my clients' privacy. Citing specifics would break our Privacy Policy, and I'm not going to do that to my customers. Your continued requests for me to do so are completely out of line. I'm not throwing my clients under the bus, so forget it. Stop asking. :rolleyes:

Truly Ethan, if you can't find the problems yourself, in your tickets (and you should be able to, after all, it's pretty obvious when a ticket sits 24 hrs. + with no answer) that's a shortcoming with PSM, not with the customers ... it's not my job nor my responsibility to point out things that are already sitting fully documented in your helpdesk. It's not my fault if you're not aware of what's going on. That's something you've got to sort out, whatever the cause is (technical limitations, lack of review, ???).

Stop spinning your wheels on me, I'm not the problem. I'm merely the messenger.

:D Bailey
All I am asking is what your account with us was so I can review your tickets. Since you are the one saying you had a bad experience with us, we are being completely reasonable in asking you who you are to see what happened. There is absolutely no company that would sit quietly when some unidentified anonymous stranger keeps bashing them.

Telling us what your account with us was does not compromise your clients in any way and does not reveal any private information at all. I am not asking you to post anything here publicly, nor for any information that is not already in a past ticket.

You keep making claims and we have no way to respond to them as we have no way of knowing what happened without knowing who you are, and I will continue to argue this everytime you bring this up until you tell us who you are and allow us to investigate your claims.

How about we get this thread back on topic okay?

Telling us what your account with us was does not compromise your clients in any way and does not reveal any private information at all.

Ethan, I don't have an account with you right now; I used to, for about 18 months. But it is now closed. Currently, my clients have accounts; ironically, at my recommendation. :( That is how the clients get affected by this... sorry, but that's a no-go.

mouse, I promise I'm done, I only wished to address PSM's direct questions. Thanks. :)

:D Bailey

I have used this script in the past with no issues.

We use WHMCS and have done for just shy of two years now, for all of our Sales/Billing/Support. The inbuilt ticketing system is great, and other than a few bugs after upgrades we have had no issues with it.

It's a level above other systems I have used before like Clientexec IMO.

Beware nulled versions of this script come with call backs and hacks, I ve seen this things happening in spanish forums, pirate resellers offer discounted versions of WHMCS, you either need a competent admin to stablish permissions or your didnt bought the script directly from whmcs.com, I wouldnt dare to say your are pirating, just check if you can download and install the latest version from the dev site.