Results 26 to 50 of 199
-
12-10-2011, 12:01 AM #26
Would you all please stop posting the exploit code? I'm sure there are some folks using this script that have not patched yet, and you're helping spread it. That's irresponsible.
Your one stop shop for decentralization
-
12-10-2011, 12:08 AM #27Actively learning French
- Join Date
- Apr 2009
- Location
- OnTheWeb
- Posts
- 2,397
Bear, can I post solutions to the problems here? (I will not post the actual script code)
If you're the smartest person in the room then you're in the wrong room
-
12-10-2011, 12:30 AM #28
The solution appears to be to apply the patch and possibly block subjects that begin with that tag. If you have a mod_sec rule that defeats this, that should be no problem.
Your one stop shop for decentralization
-
12-10-2011, 01:05 AM #29Web Hosting Master
- Join Date
- Jul 2007
- Location
- Tech Belt
- Posts
- 8,160
Yeah I got the same thing earlier today. These may not be for everyone but look out for files:
dl
wh
xfr
sss
ed8
test
red
and here's your culprit site to ban in the firewall: liberdadedigital.com.br
Pretty much apply the patch, delete the files, ban the site IP, and change all your passwords and you should be alright.
-
12-10-2011, 04:35 AM #30Actively learning French
- Join Date
- Apr 2009
- Location
- OnTheWeb
- Posts
- 2,397
-
12-10-2011, 05:00 AM #31Web Hosting Master
- Join Date
- Feb 2003
- Location
- Cumbernauld, Scotland, UK
- Posts
- 735
Yes, dl.php is a WHMCS system file
Look at the date of the files on FTP
If they have the same date as the support ticket then you know it has been compromised
As I posted some time ago, the exploit assumes eval is ON
My solution was to turn eval OFF
Obviously if you need to use eval in php then you need to apply the patch
Equally, only my customers can submit support tickets
As a result this attacker had to register as a new customer first
Clearly it is a person rather than a bot as they took the time to make sure they put the correct city (to match the IP address from Saudi Arabia) and even answered some of the questions!M8 INTERNET : Simple and cost effective website hosting from the UK
M8 INTERNET : Google Ads Account Management
-
12-10-2011, 05:03 AM #32Web Hosting Master
- Join Date
- Mar 2009
- Posts
- 3,700
-
12-10-2011, 05:51 AM #33Actively learning French
- Join Date
- Apr 2009
- Location
- OnTheWeb
- Posts
- 2,397
-
12-11-2011, 09:50 PM #34Newbie
- Join Date
- Dec 2011
- Posts
- 20
-
12-12-2011, 02:56 AM #35Web Hosting Master
- Join Date
- Nov 2004
- Location
- Australia
- Posts
- 1,737
-
12-12-2011, 03:37 AM #36Total Nerd
- Join Date
- Feb 2007
- Location
- Florida
- Posts
- 1,932
Just wanted to add some more info to this thread. Initial exploit attempts against us were trying to place a file called b0x.php in the following directories:
Code:templates_c images
Code:find / | grep b0x.php find / | grep dl.php find / | grep wh.php find / | grep xfr.php find / | grep sss.php find / | grep ed8.php find / | grep test.php find / | grep red.php
-Joe @ Secure Dragon LLC.
+ OpenVZ Powered by Wyvern | KVM | cPanel Hosting | Backup VPSs | LowEndBoxes | DDOS Protection
+ Florida | Colorado | Illinois | California | Oregon | Georgia | New Jersey | Arizona | Texas
-
12-12-2011, 03:40 AM #37Web Template Master
- Join Date
- May 2009
- Location
- United Kingdom
- Posts
- 1,695
Thanks for the heads up Joe!
█ Zomex ~ Templates & services for web hosting resellers since 2009!
█ #1 Web Hosting Templates for WHMCS Templates | WordPress | HTML | Blesta | Clientexec
█ Professional WHMCS Services | Installation | Configuration | Integration | Upgrades
-
12-12-2011, 06:33 AM #38Web Hosting Master
- Join Date
- May 2010
- Posts
- 658
The attackers keep trying to exploit our WHMCS, a couple of tickets a week. Unfortunately for them it was patched from day one of the exploit. I have had to disable them and allow they for clients only.
- Ashton█ Ashton Allen | FuseWeb Limited
█ Premium UK Webhosting
█ | Shared Hosting | VPS | Reseller Hosting | VOIP |
█ FuseWeb.co.uk Or follow us on Twitter
-
12-12-2011, 07:16 AM #39Web Hosting Master
- Join Date
- Aug 2009
- Location
- Los Angeles
- Posts
- 3,338
We get about 5 of these tickets a day. Patched it the day the email was received from WHMCS about it. It's most likely going to be an on-going issue (Receiving the emails meaning) for a couple of months until they realize all of the legitimate WHMCS setups have been patched.
QuadraNet Enterprises | Providing Secure Infrastructure Solutions to modern businesses since 2001.
QuadraNet is a globally recognized cloud solution provider with the Best-in-class responsive 24x7 customer support.
Locations: Los Angeles, Miami, Dallas, New Jersey, Chicago, Atlanta, Seattle & Amsterdam.
Andrew Moore andrew.moore@quadranet.com Visit https://www.QuadraNet.com
-
12-12-2011, 08:57 AM #40Web Hosting Master
- Join Date
- Dec 2004
- Posts
- 569
I do not think the vulnerability is in the ticket code itself, but elsewhere.
A patch has been released recently, for an issue that allows any local file on the webserver to be displayed/interpreted as template file.
So I assume the ticket facility is merely used as a way to get a file uploaded, that is later executed by using the vulnerability.
Be aware that there may be other ways for an attacker to get a file uploaded on your system (e.g. through another website hosted on the same webserver).
So people should not assume they are secure because they disabled their ticket system, or set it to "customers only"
Make sure you applied the patch instead.
BTW it seems WHMCS uses {php} in their own templates as well:
Code:$ grep -R "{php}" * orderforms/boxes/products.tpl:{php} orderforms/boxes/configureproductdomain.tpl:www. <input type="text" name="sld[2]" size="40" value="{$sld}" /> . <input type="text" name="tld[2]" size="7" value="{php}
Maxnet
Offering automated dedicated server provisioning software
-
12-18-2011, 07:57 PM #41Junior Guru Wannabe
- Join Date
- Oct 2009
- Location
- Chicago, Illinois
- Posts
- 60
Alright, this is whats up.
Most of you have been getting these, and don't know what is happening.
First of all, run through all of your logs, check IP's of admins logged, and actions executed.
This exploit was around before the patch was even up, so most people have been compromised before they even patched it.
Patching this, doesn't mean you are now safe and secure. What I have been seeing mostly is that the hackers have exploited and injected a backdoor page. This page can be ANYWHERE on your website. It is a page that decrypts your admin password, and pretty much anything in your system.
The solutions:
EASIEST: Backup your database, and DELETE EVERYTHING from your public_html to make sure you delete the backdoor file that was injected. Then download the newest most stable release of WHMCS, and attach it to your DB. Make sure to change ALL PASSWORDS. That includes admin, sql passwords, sql username passwords, ect.. Also change your database name and username that connects to the database. This will make sure that the backdoors have been deleted and you are now up-to-date with new passwords, and all the patched files. Lastly, if you have regular index.php files on your web server that is not attached to WHMCS, look through those files carefully for any of the possible injected code.
The second option is just much more painful. This would include looking through every single file in your system and every single folder to find any compromised files.
Hope this helps.
-
12-18-2011, 08:25 PM #42
-
12-18-2011, 08:32 PM #43Junior Guru Wannabe
- Join Date
- Oct 2009
- Location
- Chicago, Illinois
- Posts
- 60
-
12-20-2011, 04:28 AM #44Web Hosting Master
- Join Date
- Nov 2004
- Location
- Australia
- Posts
- 1,737
-
12-20-2011, 06:09 AM #45Junior Guru Wannabe
- Join Date
- Oct 2009
- Location
- Chicago, Illinois
- Posts
- 60
-
12-20-2011, 06:11 AM #46Web Hosting Master
- Join Date
- Feb 2003
- Location
- Cumbernauld, Scotland, UK
- Posts
- 735
Part of the next issue is users of WHMCS wanting to prevent these one-off Support Tickets
The exploiter assumes each new client will be closed / deleted, so a new one is created each time
Now my solution will not suit everyone, and equally WHMCS have removed it
It is quite restrictive, but so far so good
If you are experiencing this, then you have a setup that allows a visitor to register as a new client WITHOUT ordering
They can then submit a new Support Ticket
Disable the register option in the Settings (as this is on by default)
When visitors visit the register link they are now met by a Not Allowed message
You can then go one step further and remove the text and link to register.php
The disadvantage is that a new customer has to place an order, but why else would a new customer register?
A visitor can then continue to contact you via the Sales link, as yet noone seems to have reported the exploit through this linkM8 INTERNET : Simple and cost effective website hosting from the UK
M8 INTERNET : Google Ads Account Management
-
12-20-2011, 06:12 AM #47Temporarily Suspended
- Join Date
- Dec 2011
- Posts
- 11
I have patched my WHMCS, hopefully will upgrade to 5.0 soon.
-
12-20-2011, 06:26 AM #48Junior Guru Wannabe
- Join Date
- Oct 2009
- Location
- Chicago, Illinois
- Posts
- 60
-
12-20-2011, 06:28 AM #49Junior Guru Wannabe
- Join Date
- Oct 2009
- Location
- Chicago, Illinois
- Posts
- 60
-
12-20-2011, 10:53 AM #50
Similar Threads
-
WHMCS INTEGRATION - WHMCS UPGRADE - WHMCS INSTALLL - WHMCS CONFIGURATION <-- HOT!!!
By Dustin B Cisneros in forum Design OffersReplies: 3Last Post: 12-27-2011, 10:32 PM -
WHMCS Integration - WHMCS Services- WHMCS Install - WHMCS Upgrade- WHMCSconfiguration
By Dustin B Cisneros in forum Design OffersReplies: 0Last Post: 11-12-2010, 08:26 PM -
WHMCS INTEGRATION - WHMCS SERVICES - WHMCS CONFIGURATION - WHMCS INSTALL/UPGRADE
By Dustin B Cisneros in forum Design OffersReplies: 3Last Post: 10-28-2010, 01:15 PM -
WHMCS INTEGRATION -WHMCS SERVICES -WHMCS UPGRADE - WHMCS CONFIGURATION -SemoWeb
By Dustin B Cisneros in forum Design OffersReplies: 1Last Post: 09-20-2010, 03:40 PM -
WHMCS Integration - WHMCS Services - WHMCS Upgrade - WHMCS Configuration -WHMCS
By Dustin B Cisneros in forum Design OffersReplies: 0Last Post: 09-12-2010, 02:50 AM