Results 1 to 25 of 199
-
12-08-2011, 03:12 AM #1
WHMCS Attack through php eval - Is my WHMCS is hacked?
Hello,
I just get a ticket from this IP 92.255.18.219
Ticket: {php}eval(base64_decode('code..xyz...')phpxyz
I open this ticket and did not found anything in this ticket
My WHMCS is still secure?Last edited by DewlanceHosting; 12-08-2011 at 03:16 AM. Reason: hacking.. :)
Dewlance® Shared/Reseller/Master Reseller - US/UK/EU/FRK/CA - SSD
WHMCS ReadyMadeKB - Tutorials for cPanel/InterWorx/Softaculous& Growing..
DemoTiger.com - Buy Demo Videos for your Hosting Company
-
12-08-2011, 03:13 AM #2Web Hosting Master
- Join Date
- Oct 2004
- Location
- Oneida, NY
- Posts
- 2,849
-
12-08-2011, 03:19 AM #3Dewlance® Shared/Reseller/Master Reseller - US/UK/EU/FRK/CA - SSD
WHMCS ReadyMadeKB - Tutorials for cPanel/InterWorx/Softaculous& Growing..
DemoTiger.com - Buy Demo Videos for your Hosting Company
-
12-08-2011, 03:22 AM #4
I decode his code through base 64decoder..
$text=file_get_contents("configuration.php");
REMOVED.....
eval($text);
$db=mysql_connect($db_host,$db_username,$db_password) or die("Can't open connection to MySQL");
mysql_select_db($db_name) or die("Can't select database");
$delete ="DELETE from tbltickets WHERE title like 0x257B7068707D25;";
mysql_query($delete);
$delete2 ="DELETE from tblactivitylog WHERE ipaddr='".$_SERVER['REMOTE_ADDR']."';";
REMOVED!!!!! so others will not use this...Dewlance® Shared/Reseller/Master Reseller - US/UK/EU/FRK/CA - SSD
WHMCS ReadyMadeKB - Tutorials for cPanel/InterWorx/Softaculous& Growing..
DemoTiger.com - Buy Demo Videos for your Hosting Company
-
12-08-2011, 03:23 AM #5Junior Guru Wannabe
- Join Date
- Jan 2004
- Posts
- 79
Did you apply the security patch?
http://blog.whmcs.com/?t=43462
If so you have nothing to worry about.
-
12-08-2011, 03:24 AM #6
It seems this person try to get my Database details through this method but I am using a WHMCS 4.x ))
Dewlance® Shared/Reseller/Master Reseller - US/UK/EU/FRK/CA - SSD
WHMCS ReadyMadeKB - Tutorials for cPanel/InterWorx/Softaculous& Growing..
DemoTiger.com - Buy Demo Videos for your Hosting Company
-
12-08-2011, 03:25 AM #7Junior Guru Wannabe
- Join Date
- Jan 2004
- Posts
- 79
-
12-08-2011, 03:26 AM #8Dewlance® Shared/Reseller/Master Reseller - US/UK/EU/FRK/CA - SSD
WHMCS ReadyMadeKB - Tutorials for cPanel/InterWorx/Softaculous& Growing..
DemoTiger.com - Buy Demo Videos for your Hosting Company
-
12-08-2011, 03:27 AM #9Junior Guru Wannabe
- Join Date
- Jan 2004
- Posts
- 79
-
12-08-2011, 11:42 PM #10Temporarily Suspended
- Join Date
- Dec 2011
- Posts
- 1
I have a follow up enquiry
Hi guys,
I am a little concerned in regards to my WHMCS installation, as I have already upgraded to the latest version.
Although, about an hour ago I received a support ticket through with tons of encrypted Base64 code which I decoded, which led to an output of this:
$f0p3n = fopen ('templates_c/indexx.php','a');
<<snipped exploit code yet again>>
It's more or less the third time in two months I've had this now (even with the most recent upgrade) it's still happening.
Any thoughts in preventing this from happening?
Thanks.
'Josh.Last edited by bear; 12-09-2011 at 11:59 PM.
-
12-08-2011, 11:44 PM #11WHT Addict
- Join Date
- Dec 2010
- Location
- surabaya, indonesia
- Posts
- 135
Fast Host Online Hosting, Domain, VPS, Dedicated Server
OpenVZ, Xen, And WIndows VPS
http://www.fasthostonline.co.id
-
12-09-2011, 12:08 AM #12Web Hosting Master
- Join Date
- Nov 2004
- Location
- Australia
- Posts
- 1,737
This shows an attempt to hack, which may or may not have succeeded. If you have the recently released security patches installed you are safe.
This could be prevented by a mod_security rule which caught the {php} tag in posts, keep meaning to write one but haven't yet ...
-
12-09-2011, 12:13 AM #13Web Hosting Master
- Join Date
- Mar 2009
- Location
- CA
- Posts
- 9,350
Same here!
〓〓 RackNerd LLC - Introducing Infrastructure Stability
〓〓 Dedicated Servers, Private Cloud, DRaaS, Colocation, VPS, DDoS Mitigation, Shared & Reseller Hosting
〓〓 www.linkedin.com/in/dustincisneros/
〓〓 My fancy email dustin@racknerd.com
-
12-09-2011, 03:29 AM #14
Receive another 3 new tickets with this subject "eval..base64_decode" and base_64
- Seems they are trying to get template_c files..
Solution: apply patch, move your all three 777 permission folder to /home/user/XYZ..
- ban ticket subject: (php} and base64..Dewlance® Shared/Reseller/Master Reseller - US/UK/EU/FRK/CA - SSD
WHMCS ReadyMadeKB - Tutorials for cPanel/InterWorx/Softaculous& Growing..
DemoTiger.com - Buy Demo Videos for your Hosting Company
-
12-09-2011, 04:49 AM #15Temporarily Suspended
- Join Date
- Sep 2011
- Location
- UK
- Posts
- 166
It seems to be a plague recently for many billing systems not only WHMCS. I heard it is a problem with smarty not honoring PHP_TAGS status or so. Do you have more reliable news about the reason behind the vulnerability?
-
12-09-2011, 07:28 AM #16Web Hosting Master
- Join Date
- Nov 2004
- Location
- Australia
- Posts
- 1,737
the reason? not sure what you're asking?
The vulnerability is the Smarty {php} tag, if that's what you're asking, but that should have been apparent from the above?
-
12-09-2011, 07:34 AM #17I route, therefore I am
- Join Date
- Dec 2010
- Location
- Good question
- Posts
- 697
Got the same from 92.255.18.219
Who is this retard? :|
-
12-09-2011, 07:54 AM #18
Proxy IP + use for spamming
http://www.stopforumspam.com/ipcheck/92.255.18.219Dewlance® Shared/Reseller/Master Reseller - US/UK/EU/FRK/CA - SSD
WHMCS ReadyMadeKB - Tutorials for cPanel/InterWorx/Softaculous& Growing..
DemoTiger.com - Buy Demo Videos for your Hosting Company
-
12-09-2011, 08:03 AM #19Temporarily Suspended
- Join Date
- Sep 2011
- Location
- UK
- Posts
- 166
@brianoz
Disabling php tag has been one of the security features of smarty templates for years. Weird it created issues just now. I used to believe it was disabled in such serious projects as billing systems but seems like it was not at least in email/ticket parsing code.
-
12-09-2011, 02:15 PM #20Web Hosting Master
- Join Date
- Feb 2003
- Location
- Cumbernauld, Scotland, UK
- Posts
- 735
Last edited by m8internet; 12-09-2011 at 02:20 PM.
M8 INTERNET : Simple and cost effective website hosting from the UK
M8 INTERNET : Google Ads Account Management
-
12-09-2011, 02:18 PM #21Web Hosting Master
- Join Date
- Feb 2003
- Location
- Cumbernauld, Scotland, UK
- Posts
- 735
M8 INTERNET : Simple and cost effective website hosting from the UK
M8 INTERNET : Google Ads Account Management
-
12-09-2011, 02:19 PM #22Newbie
- Join Date
- Feb 2011
- Posts
- 10
the attack is from turkey. Most of people are getting the attack.
-
12-09-2011, 02:50 PM #23Junior Guru Wannabe
- Join Date
- Jul 2010
- Location
- Istanbul
- Posts
- 41
Hi
Look for b0x.php in your directories. We had same attack and that
encrypted code is writing b0x.php to your directory which is a file
uploader.
May be attacker changed the filename, just decode base64 with this tool.
http://www.opinionatedgeek.com/dotne.../base64decode/
Also there is fixed files on whmcs forums.
-
12-09-2011, 09:43 PM #24Web Hosting Master
- Join Date
- Mar 2009
- Posts
- 3,700
Hi,
1. i also get the attack about hours ago.it is from 2.90.183.224
2. my template_c is not under /public_html,
and i follow http://forum.whmcs.com/showthread.php?p=206522 to update days ago,
i use http://www.opinionatedgeek.com/dotne.../base64decode/ to get the code
$code = base64_decode
<<snipped exploit code yet again>>
$fo = fopen("templates_c/red.php","w");
fwrite($fo,$code);
but i can not find the file templates_c/red.php,
does it mean the attack is not success,correct ?
but any other way to make sure the attack is not successfully ?
thanxLast edited by bear; 12-10-2011 at 12:00 AM.
-
12-09-2011, 11:57 PM #25Web Hosting Master
- Join Date
- May 2010
- Location
- Bhakkar
- Posts
- 1,592
Same here. Posted at whmcs forum http://forum.whmcs.com/showthread.php?t=43745 and waiting for any reasonable reply.
██ HostinPK.com
██ [US/UK] Shared Hosting, Reseller Hosting, VPS Hosting
██ cPanel/CWP | Softaculous | WHMCS | Dedicated IP | SSL
██ We accept PayPal, 2checkout, Credit Cards, and Bank payments
Similar Threads
-
WHMCS INTEGRATION - WHMCS UPGRADE - WHMCS INSTALLL - WHMCS CONFIGURATION <-- HOT!!!
By Dustin B Cisneros in forum Design OffersReplies: 3Last Post: 12-27-2011, 10:32 PM -
WHMCS Integration - WHMCS Services- WHMCS Install - WHMCS Upgrade- WHMCSconfiguration
By Dustin B Cisneros in forum Design OffersReplies: 0Last Post: 11-12-2010, 08:26 PM -
WHMCS INTEGRATION - WHMCS SERVICES - WHMCS CONFIGURATION - WHMCS INSTALL/UPGRADE
By Dustin B Cisneros in forum Design OffersReplies: 3Last Post: 10-28-2010, 01:15 PM -
WHMCS INTEGRATION -WHMCS SERVICES -WHMCS UPGRADE - WHMCS CONFIGURATION -SemoWeb
By Dustin B Cisneros in forum Design OffersReplies: 1Last Post: 09-20-2010, 03:40 PM -
WHMCS Integration - WHMCS Services - WHMCS Upgrade - WHMCS Configuration -WHMCS
By Dustin B Cisneros in forum Design OffersReplies: 0Last Post: 09-12-2010, 02:50 AM