Page 1 of 8 1234 ... LastLast
Results 1 to 25 of 199
  1. #1

    Angry WHMCS Attack through php eval - Is my WHMCS is hacked?

    Hello,

    I just get a ticket from this IP 92.255.18.219

    Ticket: {php}eval(base64_decode('code..xyz...')phpxyz


    I open this ticket and did not found anything in this ticket


    My WHMCS is still secure?
    Last edited by DewlanceHosting; 12-08-2011 at 03:16 AM. Reason: hacking.. :)
    Dewlance® Shared/Reseller/Master Reseller - US/UK/EU/FRK/CA - SSD
    WHMCS ReadyMadeKB - Tutorials for cPanel/InterWorx/Softaculous& Growing..
    DemoTiger.com - Buy Demo Videos for your Hosting Company

  2. #2
    Join Date
    Oct 2004
    Location
    Oneida, NY
    Posts
    2,849
    Quote Originally Posted by DewlanceHosting View Post
    Hello,

    I just get a ticket from this IP 92.255.18.219

    Ticket: {php}eval(base64_decode('code..xyz...')phpxyz


    I open this ticket and did not found anything in this ticket


    My WHMCS is still secure?
    Edit: In a ticket? Hmmm, might not be anything, but I'd ask WHMCS to make sure.

    Is your templates_c folder behind the public_html folder?
    Big things coming soon

  3. #3
    Quote Originally Posted by Nick H View Post
    Edit: In a ticket? Hmmm, might not be anything, but I'd ask WHMCS to make sure.

    Is your templates_c folder behind the public_html folder?
    yes.


    .
    .
    Dewlance® Shared/Reseller/Master Reseller - US/UK/EU/FRK/CA - SSD
    WHMCS ReadyMadeKB - Tutorials for cPanel/InterWorx/Softaculous& Growing..
    DemoTiger.com - Buy Demo Videos for your Hosting Company

  4. #4
    I decode his code through base 64decoder..



    $text=file_get_contents("configuration.php");
    REMOVED.....
    eval($text);

    $db=mysql_connect($db_host,$db_username,$db_password) or die("Can't open connection to MySQL");
    mysql_select_db($db_name) or die("Can't select database");
    $delete ="DELETE from tbltickets WHERE title like 0x257B7068707D25;";
    mysql_query($delete);
    $delete2 ="DELETE from tblactivitylog WHERE ipaddr='".$_SERVER['REMOTE_ADDR']."';";
    REMOVED!!!!! so others will not use this...
    Dewlance® Shared/Reseller/Master Reseller - US/UK/EU/FRK/CA - SSD
    WHMCS ReadyMadeKB - Tutorials for cPanel/InterWorx/Softaculous& Growing..
    DemoTiger.com - Buy Demo Videos for your Hosting Company

  5. #5
    Join Date
    Jan 2004
    Posts
    79
    Did you apply the security patch?

    http://blog.whmcs.com/?t=43462

    If so you have nothing to worry about.

  6. #6
    It seems this person try to get my Database details through this method but I am using a WHMCS 4.x ))
    Dewlance® Shared/Reseller/Master Reseller - US/UK/EU/FRK/CA - SSD
    WHMCS ReadyMadeKB - Tutorials for cPanel/InterWorx/Softaculous& Growing..
    DemoTiger.com - Buy Demo Videos for your Hosting Company

  7. #7
    Join Date
    Jan 2004
    Posts
    79
    Quote Originally Posted by DewlanceHosting View Post
    It seems this person try to get my Database details through this method but I am using a WHMCS 4.x ))
    Apply the patch above.

  8. #8
    Quote Originally Posted by Nick H View Post
    Edit: In a ticket? Hmmm, might not be anything, but I'd ask WHMCS to make sure.

    Is your templates_c folder behind the public_html folder?
    Quote Originally Posted by Dawg View Post
    Did you apply the security patch?

    http://blog.whmcs.com/?t=43462

    If so you have nothing to worry about.
    Yes, already applied..
    Dewlance® Shared/Reseller/Master Reseller - US/UK/EU/FRK/CA - SSD
    WHMCS ReadyMadeKB - Tutorials for cPanel/InterWorx/Softaculous& Growing..
    DemoTiger.com - Buy Demo Videos for your Hosting Company

  9. #9
    Join Date
    Jan 2004
    Posts
    79
    Quote Originally Posted by DewlanceHosting View Post
    Yes, already applied..
    then don't worry

  10. #10
    Join Date
    Dec 2011
    Posts
    1

    I have a follow up enquiry

    Hi guys,

    I am a little concerned in regards to my WHMCS installation, as I have already upgraded to the latest version.

    Although, about an hour ago I received a support ticket through with tons of encrypted Base64 code which I decoded, which led to an output of this:

    $f0p3n = fopen ('templates_c/indexx.php','a');

    <<snipped exploit code yet again>>

    It's more or less the third time in two months I've had this now (even with the most recent upgrade) it's still happening.

    Any thoughts in preventing this from happening?

    Thanks.

    'Josh.
    Last edited by bear; 12-09-2011 at 11:59 PM.

  11. #11
    Join Date
    Dec 2010
    Location
    surabaya, indonesia
    Posts
    135
    Quote Originally Posted by DewlanceHosting View Post
    Hello,

    I just get a ticket from this IP 92.255.18.219

    Ticket: {php}eval(base64_decode('code..xyz...')phpxyz


    I open this ticket and did not found anything in this ticket


    My WHMCS is still secure?
    same like me. i get this eval from same ip
    Fast Host Online Hosting, Domain, VPS, Dedicated Server
    OpenVZ, Xen, And WIndows VPS
    http://www.fasthostonline.co.id

  12. #12
    Join Date
    Nov 2004
    Location
    Australia
    Posts
    1,737
    Quote Originally Posted by Joshua95 View Post
    I am a little concerned in regards to my WHMCS installation, as I have already upgraded to the latest version.
    This shows an attempt to hack, which may or may not have succeeded. If you have the recently released security patches installed you are safe.


    Quote Originally Posted by Joshua95 View Post
    Any thoughts in preventing this from happening?
    This could be prevented by a mod_security rule which caught the {php} tag in posts, keep meaning to write one but haven't yet ...

  13. #13
    Join Date
    Mar 2009
    Location
    CA
    Posts
    9,350
    Same here!
    〓〓 RackNerd LLC - Introducing Infrastructure Stability
    〓〓 Dedicated Servers, Private Cloud, DRaaS, Colocation, VPS, DDoS Mitigation, Shared & Reseller Hosting
    〓〓 www.linkedin.com/in/dustincisneros/
    〓〓 My fancy email dustin@racknerd.com

  14. #14

    Angry

    Receive another 3 new tickets with this subject "eval..base64_decode" and base_64

    - Seems they are trying to get template_c files..


    Solution: apply patch, move your all three 777 permission folder to /home/user/XYZ..

    - ban ticket subject: (php} and base64..
    Dewlance® Shared/Reseller/Master Reseller - US/UK/EU/FRK/CA - SSD
    WHMCS ReadyMadeKB - Tutorials for cPanel/InterWorx/Softaculous& Growing..
    DemoTiger.com - Buy Demo Videos for your Hosting Company

  15. #15
    Join Date
    Sep 2011
    Location
    UK
    Posts
    166
    It seems to be a plague recently for many billing systems not only WHMCS. I heard it is a problem with smarty not honoring PHP_TAGS status or so. Do you have more reliable news about the reason behind the vulnerability?

  16. #16
    Join Date
    Nov 2004
    Location
    Australia
    Posts
    1,737
    the reason? not sure what you're asking?

    The vulnerability is the Smarty {php} tag, if that's what you're asking, but that should have been apparent from the above?

  17. #17
    Join Date
    Dec 2010
    Location
    Good question
    Posts
    697
    Got the same from 92.255.18.219

    Who is this retard? :|

  18. #18
    Quote Originally Posted by Wintereise View Post
    Got the same from 92.255.18.219

    Who is this retard? :|
    Proxy IP + use for spamming

    http://www.stopforumspam.com/ipcheck/92.255.18.219
    Dewlance® Shared/Reseller/Master Reseller - US/UK/EU/FRK/CA - SSD
    WHMCS ReadyMadeKB - Tutorials for cPanel/InterWorx/Softaculous& Growing..
    DemoTiger.com - Buy Demo Videos for your Hosting Company

  19. #19
    Join Date
    Sep 2011
    Location
    UK
    Posts
    166
    @brianoz
    Disabling php tag has been one of the security features of smarty templates for years. Weird it created issues just now. I used to believe it was disabled in such serious projects as billing systems but seems like it was not at least in email/ticket parsing code.

  20. #20
    Join Date
    Feb 2003
    Location
    Cumbernauld, Scotland, UK
    Posts
    735
    Quote Originally Posted by DewlanceHosting View Post
    - ban ticket subject: (php} and base64..
    How do you apply that?
    edit : found it
    Last edited by m8internet; 12-09-2011 at 02:20 PM.
    M8 INTERNET : Simple and cost effective website hosting from the UK
    M8 INTERNET : Google Ads Account Management

  21. #21
    Join Date
    Feb 2003
    Location
    Cumbernauld, Scotland, UK
    Posts
    735
    Quote Originally Posted by Wintereise View Post
    Got the same from 92.255.18.219
    Mine came from 176.44.18.52
    M8 INTERNET : Simple and cost effective website hosting from the UK
    M8 INTERNET : Google Ads Account Management

  22. #22
    the attack is from turkey. Most of people are getting the attack.

  23. #23
    Join Date
    Jul 2010
    Location
    Istanbul
    Posts
    41
    Hi

    Look for b0x.php in your directories. We had same attack and that
    encrypted code is writing b0x.php to your directory which is a file
    uploader.

    May be attacker changed the filename, just decode base64 with this tool.
    http://www.opinionatedgeek.com/dotne.../base64decode/

    Also there is fixed files on whmcs forums.

  24. #24
    Join Date
    Mar 2009
    Posts
    3,700
    Hi,

    1. i also get the attack about hours ago.it is from 2.90.183.224


    2. my template_c is not under /public_html,
    and i follow http://forum.whmcs.com/showthread.php?p=206522 to update days ago,

    i use http://www.opinionatedgeek.com/dotne.../base64decode/ to get the code

    $code = base64_decode

    <<snipped exploit code yet again>>

    $fo = fopen("templates_c/red.php","w");
    fwrite($fo,$code);


    but i can not find the file templates_c/red.php,
    does it mean the attack is not success,correct ?

    but any other way to make sure the attack is not successfully ?


    thanx
    Last edited by bear; 12-10-2011 at 12:00 AM.

  25. #25
    Join Date
    May 2010
    Location
    Bhakkar
    Posts
    1,592
    Same here. Posted at whmcs forum http://forum.whmcs.com/showthread.php?t=43745 and waiting for any reasonable reply.
    HostinPK.com
    [US/UK] Shared Hosting, Reseller Hosting, VPS Hosting
    cPanel/CWP | Softaculous | WHMCS | Dedicated IP | SSL
    We accept PayPal, 2checkout, Credit Cards, and Bank payments

Page 1 of 8 1234 ... LastLast

Similar Threads

  1. Replies: 3
    Last Post: 12-27-2011, 10:32 PM
  2. Replies: 0
    Last Post: 11-12-2010, 08:26 PM
  3. Replies: 3
    Last Post: 10-28-2010, 01:15 PM
  4. Replies: 1
    Last Post: 09-20-2010, 03:40 PM
  5. Replies: 0
    Last Post: 09-12-2010, 02:50 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •