Page 1 of 5 1234 ... LastLast
Results 1 to 40 of 199
  1. #1
    Join Date
    Jul 2009
    Location
    Kshatriya
    Posts
    2,630

    Angry WHMCS Attack through php eval - Is my WHMCS is hacked?

    Hello,

    I just get a ticket from this IP 92.255.18.219

    Ticket: {php}eval(base64_decode('code..xyz...')phpxyz


    I open this ticket and did not found anything in this ticket


    My WHMCS is still secure?
    Last edited by DewlanceHosting; 12-08-2011 at 03:16 AM. Reason: hacking.. :)
    Dewlance® Cheap Windows VPS - Chicago/Orlando/Vegas/AZ - SSD
    WHMCS ReadyMadeKB - Tutorials for cPanel/InterWorx/Softaculous& Growing..
    Super Cheap Annually Shared Hosting - Canada/US/UK

  2. #2
    Join Date
    Oct 2004
    Posts
    2,828
    Quote Originally Posted by DewlanceHosting View Post
    Hello,

    I just get a ticket from this IP 92.255.18.219

    Ticket: {php}eval(base64_decode('code..xyz...')phpxyz


    I open this ticket and did not found anything in this ticket


    My WHMCS is still secure?
    Edit: In a ticket? Hmmm, might not be anything, but I'd ask WHMCS to make sure.

    Is your templates_c folder behind the public_html folder?

  3. #3
    Join Date
    Jul 2009
    Location
    Kshatriya
    Posts
    2,630
    Quote Originally Posted by Nick H View Post
    Edit: In a ticket? Hmmm, might not be anything, but I'd ask WHMCS to make sure.

    Is your templates_c folder behind the public_html folder?
    yes.


    .
    .
    Dewlance® Cheap Windows VPS - Chicago/Orlando/Vegas/AZ - SSD
    WHMCS ReadyMadeKB - Tutorials for cPanel/InterWorx/Softaculous& Growing..
    Super Cheap Annually Shared Hosting - Canada/US/UK

  4. #4
    Join Date
    Jul 2009
    Location
    Kshatriya
    Posts
    2,630
    I decode his code through base 64decoder..



    $text=file_get_contents("configuration.php");
    REMOVED.....
    eval($text);

    $db=mysql_connect($db_host,$db_username,$db_password) or die("Can't open connection to MySQL");
    mysql_select_db($db_name) or die("Can't select database");
    $delete ="DELETE from tbltickets WHERE title like 0x257B7068707D25;";
    mysql_query($delete);
    $delete2 ="DELETE from tblactivitylog WHERE ipaddr='".$_SERVER['REMOTE_ADDR']."';";
    REMOVED!!!!! so others will not use this...
    Dewlance® Cheap Windows VPS - Chicago/Orlando/Vegas/AZ - SSD
    WHMCS ReadyMadeKB - Tutorials for cPanel/InterWorx/Softaculous& Growing..
    Super Cheap Annually Shared Hosting - Canada/US/UK

  5. #5
    Join Date
    Jan 2004
    Location
    Texas
    Posts
    79
    Did you apply the security patch?

    http://blog.whmcs.com/?t=43462

    If so you have nothing to worry about.

  6. #6
    Join Date
    Jul 2009
    Location
    Kshatriya
    Posts
    2,630
    It seems this person try to get my Database details through this method but I am using a WHMCS 4.x ))
    Dewlance® Cheap Windows VPS - Chicago/Orlando/Vegas/AZ - SSD
    WHMCS ReadyMadeKB - Tutorials for cPanel/InterWorx/Softaculous& Growing..
    Super Cheap Annually Shared Hosting - Canada/US/UK

  7. #7
    Join Date
    Jan 2004
    Location
    Texas
    Posts
    79
    Quote Originally Posted by DewlanceHosting View Post
    It seems this person try to get my Database details through this method but I am using a WHMCS 4.x ))
    Apply the patch above.

  8. #8
    Join Date
    Jul 2009
    Location
    Kshatriya
    Posts
    2,630
    Quote Originally Posted by Nick H View Post
    Edit: In a ticket? Hmmm, might not be anything, but I'd ask WHMCS to make sure.

    Is your templates_c folder behind the public_html folder?
    Quote Originally Posted by Dawg View Post
    Did you apply the security patch?

    http://blog.whmcs.com/?t=43462

    If so you have nothing to worry about.
    Yes, already applied..
    Dewlance® Cheap Windows VPS - Chicago/Orlando/Vegas/AZ - SSD
    WHMCS ReadyMadeKB - Tutorials for cPanel/InterWorx/Softaculous& Growing..
    Super Cheap Annually Shared Hosting - Canada/US/UK

  9. #9
    Join Date
    Jan 2004
    Location
    Texas
    Posts
    79
    Quote Originally Posted by DewlanceHosting View Post
    Yes, already applied..
    then don't worry

  10. #10
    Join Date
    Dec 2011
    Posts
    1

    I have a follow up enquiry

    Hi guys,

    I am a little concerned in regards to my WHMCS installation, as I have already upgraded to the latest version.

    Although, about an hour ago I received a support ticket through with tons of encrypted Base64 code which I decoded, which led to an output of this:

    $f0p3n = fopen ('templates_c/indexx.php','a');

    <<snipped exploit code yet again>>

    It's more or less the third time in two months I've had this now (even with the most recent upgrade) it's still happening.

    Any thoughts in preventing this from happening?

    Thanks.

    'Josh.
    Last edited by bear; 12-09-2011 at 11:59 PM.

  11. #11
    Join Date
    Dec 2010
    Location
    surabaya, indonesia
    Posts
    135
    Quote Originally Posted by DewlanceHosting View Post
    Hello,

    I just get a ticket from this IP 92.255.18.219

    Ticket: {php}eval(base64_decode('code..xyz...')phpxyz


    I open this ticket and did not found anything in this ticket


    My WHMCS is still secure?
    same like me. i get this eval from same ip
    Fast Host Online Hosting, Domain, VPS, Dedicated Server
    OpenVZ, Xen, And WIndows VPS
    http://www.fasthostonline.co.id

  12. #12
    Join Date
    Nov 2004
    Location
    Australia
    Posts
    1,679
    Quote Originally Posted by Joshua95 View Post
    I am a little concerned in regards to my WHMCS installation, as I have already upgraded to the latest version.
    This shows an attempt to hack, which may or may not have succeeded. If you have the recently released security patches installed you are safe.


    Quote Originally Posted by Joshua95 View Post
    Any thoughts in preventing this from happening?
    This could be prevented by a mod_security rule which caught the {php} tag in posts, keep meaning to write one but haven't yet ...

  13. #13
    Join Date
    Mar 2009
    Location
    LAX, DAL, MIA, ATL, ORD
    Posts
    8,963

  14. #14
    Join Date
    Jul 2009
    Location
    Kshatriya
    Posts
    2,630

    Angry

    Receive another 3 new tickets with this subject "eval..base64_decode" and base_64

    - Seems they are trying to get template_c files..


    Solution: apply patch, move your all three 777 permission folder to /home/user/XYZ..

    - ban ticket subject: (php} and base64..
    Dewlance® Cheap Windows VPS - Chicago/Orlando/Vegas/AZ - SSD
    WHMCS ReadyMadeKB - Tutorials for cPanel/InterWorx/Softaculous& Growing..
    Super Cheap Annually Shared Hosting - Canada/US/UK

  15. #15
    Join Date
    Sep 2011
    Location
    UK
    Posts
    161
    It seems to be a plague recently for many billing systems not only WHMCS. I heard it is a problem with smarty not honoring PHP_TAGS status or so. Do you have more reliable news about the reason behind the vulnerability?

  16. #16
    Join Date
    Nov 2004
    Location
    Australia
    Posts
    1,679
    the reason? not sure what you're asking?

    The vulnerability is the Smarty {php} tag, if that's what you're asking, but that should have been apparent from the above?

  17. #17
    Join Date
    Dec 2010
    Location
    Good question
    Posts
    693
    Got the same from 92.255.18.219

    Who is this retard? :|

  18. #18
    Join Date
    Jul 2009
    Location
    Kshatriya
    Posts
    2,630
    Quote Originally Posted by Wintereise View Post
    Got the same from 92.255.18.219

    Who is this retard? :|
    Proxy IP + use for spamming

    http://www.stopforumspam.com/ipcheck/92.255.18.219
    Dewlance® Cheap Windows VPS - Chicago/Orlando/Vegas/AZ - SSD
    WHMCS ReadyMadeKB - Tutorials for cPanel/InterWorx/Softaculous& Growing..
    Super Cheap Annually Shared Hosting - Canada/US/UK

  19. #19
    Join Date
    Sep 2011
    Location
    UK
    Posts
    161
    @brianoz
    Disabling php tag has been one of the security features of smarty templates for years. Weird it created issues just now. I used to believe it was disabled in such serious projects as billing systems but seems like it was not at least in email/ticket parsing code.

  20. #20
    Join Date
    Feb 2003
    Location
    Cumbernauld, Scotland, UK
    Posts
    734
    Quote Originally Posted by DewlanceHosting View Post
    - ban ticket subject: (php} and base64..
    How do you apply that?
    edit : found it
    Last edited by m8internet; 12-09-2011 at 02:20 PM.
    M8 INTERNET : Simple and cost effective website hosting from the UK
    M8 INTERNET : Google Ads Account Management

  21. #21
    Join Date
    Feb 2003
    Location
    Cumbernauld, Scotland, UK
    Posts
    734
    Quote Originally Posted by Wintereise View Post
    Got the same from 92.255.18.219
    Mine came from 176.44.18.52
    M8 INTERNET : Simple and cost effective website hosting from the UK
    M8 INTERNET : Google Ads Account Management

  22. #22
    the attack is from turkey. Most of people are getting the attack.

  23. #23
    Join Date
    Jul 2010
    Location
    Istanbul
    Posts
    41
    Hi

    Look for b0x.php in your directories. We had same attack and that
    encrypted code is writing b0x.php to your directory which is a file
    uploader.

    May be attacker changed the filename, just decode base64 with this tool.
    http://www.opinionatedgeek.com/dotne.../base64decode/

    Also there is fixed files on whmcs forums.

  24. #24
    Join Date
    Mar 2009
    Posts
    2,675
    Hi,

    1. i also get the attack about hours ago.it is from 2.90.183.224


    2. my template_c is not under /public_html,
    and i follow http://forum.whmcs.com/showthread.php?p=206522 to update days ago,

    i use http://www.opinionatedgeek.com/dotne.../base64decode/ to get the code

    $code = base64_decode

    <<snipped exploit code yet again>>

    $fo = fopen("templates_c/red.php","w");
    fwrite($fo,$code);


    but i can not find the file templates_c/red.php,
    does it mean the attack is not success,correct ?

    but any other way to make sure the attack is not successfully ?


    thanx
    Last edited by bear; 12-10-2011 at 12:00 AM.

  25. #25
    Join Date
    May 2010
    Location
    Planet Earth
    Posts
    1,588
    Same here. Posted at whmcs forum http://forum.whmcs.com/showthread.php?t=43745 and waiting for any reasonable reply.
    Modelwebhost.com
    [US/UK] Shared Hosting, Reseller Hosting, Master Reseller Hosting
    WHMReseller | Softaculous | WHMCS | Dedicated IP | SSL
    We accept Paypal, 2checkout, Credit Cards, Payza, OKPAY and Bank payments

  26. #26
    Join Date
    Oct 2002
    Location
    Middle Dearth
    Posts
    22,654
    Would you all please stop posting the exploit code? I'm sure there are some folks using this script that have not patched yet, and you're helping spread it. That's irresponsible.
    Having problems, or maybe questions about WHT? Head over to the help desk!

  27. #27
    Join Date
    Apr 2009
    Location
    OnTheWeb
    Posts
    2,021
    Bear, can I post solutions to the problems here? (I will not post the actual script code)
    If you're the smartest person in the room then you're in the wrong room

  28. #28
    Join Date
    Oct 2002
    Location
    Middle Dearth
    Posts
    22,654
    The solution appears to be to apply the patch and possibly block subjects that begin with that tag. If you have a mod_sec rule that defeats this, that should be no problem.
    Having problems, or maybe questions about WHT? Head over to the help desk!

  29. #29
    Join Date
    Jul 2007
    Location
    Tech Belt
    Posts
    7,802
    Yeah I got the same thing earlier today. These may not be for everyone but look out for files:
    dl
    wh
    xfr
    sss
    ed8
    test
    red

    and here's your culprit site to ban in the firewall: liberdadedigital.com.br

    Pretty much apply the patch, delete the files, ban the site IP, and change all your passwords and you should be alright.

  30. #30
    Join Date
    Apr 2009
    Location
    OnTheWeb
    Posts
    2,021
    Quote Originally Posted by MattS View Post
    Yeah I got the same thing earlier today. These may not be for everyone but look out for files:
    dl
    wh
    xfr
    sss
    ed8
    test
    red

    and here's your culprit site to ban in the firewall: liberdadedigital.com.br

    Pretty much apply the patch, delete the files, ban the site IP, and change all your passwords and you should be alright.
    Isn't dl a standard WHMCS file? What do we have to look for specifically?
    If you're the smartest person in the room then you're in the wrong room

  31. #31
    Join Date
    Feb 2003
    Location
    Cumbernauld, Scotland, UK
    Posts
    734
    Quote Originally Posted by cpoalmighty View Post
    Isn't dl a standard WHMCS file?
    What do we have to look for specifically?
    Yes, dl.php is a WHMCS system file
    Look at the date of the files on FTP
    If they have the same date as the support ticket then you know it has been compromised

    As I posted some time ago, the exploit assumes eval is ON
    My solution was to turn eval OFF
    Obviously if you need to use eval in php then you need to apply the patch

    Equally, only my customers can submit support tickets
    As a result this attacker had to register as a new customer first
    Clearly it is a person rather than a bot as they took the time to make sure they put the correct city (to match the IP address from Saudi Arabia) and even answered some of the questions!
    M8 INTERNET : Simple and cost effective website hosting from the UK
    M8 INTERNET : Google Ads Account Management

  32. #32
    Join Date
    Mar 2009
    Posts
    2,675
    Quote Originally Posted by bear View Post
    The solution appears to be to apply the patch and possibly block subjects that begin with that tag. If you have a mod_sec rule that defeats this, that should be no problem.
    Hi,i use whm/cpanel and install whmcs on it,can i ask how do you use mod_sec rule to secure it more ? thanx

  33. #33
    Join Date
    Apr 2009
    Location
    OnTheWeb
    Posts
    2,021
    Quote Originally Posted by m8internet View Post
    Yes, dl.php is a WHMCS system file
    Look at the date of the files on FTP
    If they have the same date as the support ticket then you know it has been compromised

    As I posted some time ago, the exploit assumes eval is ON
    My solution was to turn eval OFF
    Obviously if you need to use eval in php then you need to apply the patch

    Equally, only my customers can submit support tickets
    As a result this attacker had to register as a new customer first
    Clearly it is a person rather than a bot as they took the time to make sure they put the correct city (to match the IP address from Saudi Arabia) and even answered some of the questions!
    Good detective work

    I'm safe because I just double checked it (that means that the patch is working )

    <<<snipped my content >>>
    If you're the smartest person in the room then you're in the wrong room

  34. #34
    This is really a great security issue is WHMCS rolled out any patch for it

    Quote Originally Posted by DewlanceHosting View Post
    I decode his code through base 64decoder..



    $text=file_get_contents("configuration.php");
    REMOVED.....
    eval($text);

    $db=mysql_connect($db_host,$db_username,$db_password) or die("Can't open connection to MySQL");
    mysql_select_db($db_name) or die("Can't select database");
    $delete ="DELETE from tbltickets WHERE title like 0x257B7068707D25;";
    mysql_query($delete);
    $delete2 ="DELETE from tblactivitylog WHERE ipaddr='".$_SERVER['REMOTE_ADDR']."';";
    REMOVED!!!!! so others will not use this...

  35. #35
    Join Date
    Nov 2004
    Location
    Australia
    Posts
    1,679
    Quote Originally Posted by msam029 View Post
    This is really a great security issue is WHMCS rolled out any patch for it
    Weeks ago, don't tell me you haven't been paying attention to any of the MANY notices about it - on here, in WHMCS itself, on their site, in their forums ...

  36. #36
    Join Date
    Feb 2007
    Location
    Florida
    Posts
    1,929
    Just wanted to add some more info to this thread. Initial exploit attempts against us were trying to place a file called b0x.php in the following directories:
    Code:
    templates_c
    images
    A quick way to search for the known exploit files:
    Code:
    find / | grep b0x.php
    find / | grep dl.php
    find / | grep wh.php
    find / | grep xfr.php
    find / | grep sss.php
    find / | grep ed8.php
    find / | grep test.php
    find / | grep red.php
    Just a heads up.
    -Joe @ Secure Dragon LLC.
    + OpenVZ Powered by Wyvern | KVM | cPanel Hosting | Backup VPSs | LowEndBoxes | DDOS Protection
    + Florida | Colorado | Illinois | California | Oregon | Georgia | New Jersey | Arizona | Texas

  37. #37
    Join Date
    May 2009
    Location
    United Kingdom
    Posts
    1,600
    Thanks for the heads up Joe!
    Zomex ~ Templates & services for web hosting resellers since 2009!
    #1 Responsive whmcs templates | WHMCS | Wordpress | HTML5 | Settings area
    █ Hire us for responsive whmcs integration - enhance your website using the new "Six" template!

  38. #38
    The attackers keep trying to exploit our WHMCS, a couple of tickets a week. Unfortunately for them it was patched from day one of the exploit. I have had to disable them and allow they for clients only.

    - Ashton
    Ashton Allen | FuseWeb Limited
    Premium UK Webhosting
    | Shared Hosting | VPS | Reseller Hosting | VOIP |
    FuseWeb.co.uk Or follow us on Twitter

  39. #39
    Join Date
    Aug 2009
    Location
    LAX, DAL, MIA, ATL!
    Posts
    3,310
    We get about 5 of these tickets a day. Patched it the day the email was received from WHMCS about it. It's most likely going to be an on-going issue (Receiving the emails meaning) for a couple of months until they realize all of the legitimate WHMCS setups have been patched.
    〓〓 QuadraNet ├ CLOUD ├ DEDICATED ├ COLOCATION
    〓〓 Locations: Los Angeles, Dallas, Miami and Atlanta!!
    〓〓 andrew.moore[at]quadranet.com
    〓〓 http://www.QuadraNet.com

  40. #40
    Join Date
    Dec 2004
    Posts
    525
    Quote Originally Posted by almanox View Post
    Disabling php tag has been one of the security features of smarty templates for years. Weird it created issues just now. I used to believe it was disabled in such serious projects as billing systems but seems like it was not at least in email/ticket parsing code.
    I do not think the vulnerability is in the ticket code itself, but elsewhere.

    A patch has been released recently, for an issue that allows any local file on the webserver to be displayed/interpreted as template file.

    So I assume the ticket facility is merely used as a way to get a file uploaded, that is later executed by using the vulnerability.

    Be aware that there may be other ways for an attacker to get a file uploaded on your system (e.g. through another website hosted on the same webserver).
    So people should not assume they are secure because they disabled their ticket system, or set it to "customers only"
    Make sure you applied the patch instead.


    BTW it seems WHMCS uses {php} in their own templates as well:

    Code:
    $ grep -R "{php}" *
    orderforms/boxes/products.tpl:{php}
    orderforms/boxes/configureproductdomain.tpl:www. <input type="text" name="sld[2]" size="40" value="{$sld}" /> . <input type="text" name="tld[2]" size="7" value="{php}
    So disabling code execution in smarty, might break legitimate functionality.

Page 1 of 5 1234 ... LastLast

Similar Threads

  1. Replies: 3
    Last Post: 12-27-2011, 10:32 PM
  2. Replies: 0
    Last Post: 11-12-2010, 08:26 PM
  3. Replies: 3
    Last Post: 10-28-2010, 01:15 PM
  4. Replies: 1
    Last Post: 09-20-2010, 03:40 PM
  5. Replies: 0
    Last Post: 09-12-2010, 02:50 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •