I am using WHMCS for managing my clients. Today morning I found that my WHMCS admin account got hacked and I was not able to access my admin area. I tried to recover password giving my email address. But unfortunately the hacker changed my email address in WHMCS also. I contacted WHMCS support immediately and they rested the password and sent me the password.

I have already taken precaution so that this situation doesn't occur again. I have already banned hacker's IP and banned it and changed admin folder name.

Please reply in this thread if you have experienced this kind of problem before.If you have any new idea I can secure my wHMCS please reply in this thread.

Where you running the latest version of WHMCS ? any idea how they got into your account ? If so please share so that others can learn from it.

040Hosting,I am running fully licensed version of WHMCS. I have no idea how they get into my WHMCS admin account.

- Did you employ all of the security measures they recommend on the site? (non-default admin folder, certain folders above root and so on).
- Did you have a strong password, and did you lock the admin folder to one IP or additionally password protect it?
- Is there someone that can forensically investigate this for you to discover how they got in (server admin)?

Do you have the latest version?
Do you have WHMCS installed on a shared server?

040Hosting,I am running fully licensed version of WHMCS. I have no idea how they get into my WHMCS admin account.

I understand that, but was it the latest available version ? 3.7.1 or 3.7.2 or lower?

- Did you employ all of the security measures they recommend on the site? (non-default admin folder, certain folders above root and so on).
- Did you have a strong password, and did you lock the admin folder to one IP or additionally password protect it?
- Is there someone that can forensically investigate this for you to discover how they got in (server admin)?

I employed all the security measures recommended in WHMCS's site and I had a strong password.

I have a dynamic IP so I haven't locked the admin folder to one IP. If you have any solution how I can lock my WHMCS admin folder only accessible through my IP range please inform.

I am yet to find someone who could investigate the problem and say where I had the problem.

Do you have the latest version?
Do you have WHMCS installed on a shared server?
+
I understand that, but was it the latest available version ? 3.7.1 or 3.7.2 or lower?

I am using 3.7.1 and very soon I will update to 3.7.2. WHMCS is not installed in a dedicated server but sites of my clients have also been hosted there.

Do you run suphp/suexec? If not it's possible that one of your customers got compromised and since the apache uid needs access to *ALL* vhost dirs the attacker was able to list/read files in your vhost directory as well, from there he could have viewed configuration.php to see the mysql details and insert anything he wanted in you whmcs database.
That's one possible explanation.

One thing I do is double password important login areas by throwing in a .htaccess to the folder where the login page resides, just as an extra barrier to entry.

One thing I do is double password important login areas by throwing in a .htaccess to the folder where the login page resides, just as an extra barrier to entry.

.htaccess is useless if the attacker was/is able to execute commands on your server. He is also able to view your .htpasswd files as well from where he could have gotten access to your .htaccess protected directories.

TigerHostBD, do you have your log files from the time before and right after the "hacking"?

If so, we might be able to help you with the forensics.

Let me know...