Page 2 of 8 FirstFirst 12345 ... LastLast
Results 26 to 50 of 199
  1. #26
    Join Date
    Oct 2002
    Location
    Middle Dearth
    Posts
    21,256
    Would you all please stop posting the exploit code? I'm sure there are some folks using this script that have not patched yet, and you're helping spread it. That's irresponsible.
    Having problems, or maybe questions about WHT? Head over to the help desk!

  2. #27
    Join Date
    Apr 2009
    Location
    OnTheWeb
    Posts
    2,020
    Bear, can I post solutions to the problems here? (I will not post the actual script code)
    If you're the smartest person in the room then you're in the wrong room

  3. #28
    Join Date
    Oct 2002
    Location
    Middle Dearth
    Posts
    21,256
    The solution appears to be to apply the patch and possibly block subjects that begin with that tag. If you have a mod_sec rule that defeats this, that should be no problem.
    Having problems, or maybe questions about WHT? Head over to the help desk!

  4. #29
    Join Date
    Jul 2007
    Location
    Tech Belt
    Posts
    7,794
    Yeah I got the same thing earlier today. These may not be for everyone but look out for files:
    dl
    wh
    xfr
    sss
    ed8
    test
    red

    and here's your culprit site to ban in the firewall: liberdadedigital.com.br

    Pretty much apply the patch, delete the files, ban the site IP, and change all your passwords and you should be alright.

  5. #30
    Join Date
    Apr 2009
    Location
    OnTheWeb
    Posts
    2,020
    Quote Originally Posted by MattS View Post
    Yeah I got the same thing earlier today. These may not be for everyone but look out for files:
    dl
    wh
    xfr
    sss
    ed8
    test
    red

    and here's your culprit site to ban in the firewall: liberdadedigital.com.br

    Pretty much apply the patch, delete the files, ban the site IP, and change all your passwords and you should be alright.
    Isn't dl a standard WHMCS file? What do we have to look for specifically?
    If you're the smartest person in the room then you're in the wrong room

  6. #31
    Join Date
    Feb 2003
    Location
    Cumbernauld, Scotland, UK
    Posts
    734
    Quote Originally Posted by cpoalmighty View Post
    Isn't dl a standard WHMCS file?
    What do we have to look for specifically?
    Yes, dl.php is a WHMCS system file
    Look at the date of the files on FTP
    If they have the same date as the support ticket then you know it has been compromised

    As I posted some time ago, the exploit assumes eval is ON
    My solution was to turn eval OFF
    Obviously if you need to use eval in php then you need to apply the patch

    Equally, only my customers can submit support tickets
    As a result this attacker had to register as a new customer first
    Clearly it is a person rather than a bot as they took the time to make sure they put the correct city (to match the IP address from Saudi Arabia) and even answered some of the questions!
    M8 INTERNET : Simple and cost effective website hosting from the UK
    M8 INTERNET : Google Ads Account Management

  7. #32
    Join Date
    Mar 2009
    Posts
    2,349
    Quote Originally Posted by bear View Post
    The solution appears to be to apply the patch and possibly block subjects that begin with that tag. If you have a mod_sec rule that defeats this, that should be no problem.
    Hi,i use whm/cpanel and install whmcs on it,can i ask how do you use mod_sec rule to secure it more ? thanx

  8. #33
    Join Date
    Apr 2009
    Location
    OnTheWeb
    Posts
    2,020
    Quote Originally Posted by m8internet View Post
    Yes, dl.php is a WHMCS system file
    Look at the date of the files on FTP
    If they have the same date as the support ticket then you know it has been compromised

    As I posted some time ago, the exploit assumes eval is ON
    My solution was to turn eval OFF
    Obviously if you need to use eval in php then you need to apply the patch

    Equally, only my customers can submit support tickets
    As a result this attacker had to register as a new customer first
    Clearly it is a person rather than a bot as they took the time to make sure they put the correct city (to match the IP address from Saudi Arabia) and even answered some of the questions!
    Good detective work

    I'm safe because I just double checked it (that means that the patch is working )

    <<<snipped my content >>>
    If you're the smartest person in the room then you're in the wrong room

  9. #34
    This is really a great security issue is WHMCS rolled out any patch for it

    Quote Originally Posted by DewlanceHosting View Post
    I decode his code through base 64decoder..



    $text=file_get_contents("configuration.php");
    REMOVED.....
    eval($text);

    $db=mysql_connect($db_host,$db_username,$db_password) or die("Can't open connection to MySQL");
    mysql_select_db($db_name) or die("Can't select database");
    $delete ="DELETE from tbltickets WHERE title like 0x257B7068707D25;";
    mysql_query($delete);
    $delete2 ="DELETE from tblactivitylog WHERE ipaddr='".$_SERVER['REMOTE_ADDR']."';";
    REMOVED!!!!! so others will not use this...

  10. #35
    Join Date
    Nov 2004
    Location
    Australia
    Posts
    1,599
    Quote Originally Posted by msam029 View Post
    This is really a great security issue is WHMCS rolled out any patch for it
    Weeks ago, don't tell me you haven't been paying attention to any of the MANY notices about it - on here, in WHMCS itself, on their site, in their forums ...

  11. #36
    Join Date
    Feb 2007
    Location
    Federal Heights, CO
    Posts
    1,861
    Just wanted to add some more info to this thread. Initial exploit attempts against us were trying to place a file called b0x.php in the following directories:
    Code:
    templates_c
    images
    A quick way to search for the known exploit files:
    Code:
    find / | grep b0x.php
    find / | grep dl.php
    find / | grep wh.php
    find / | grep xfr.php
    find / | grep sss.php
    find / | grep ed8.php
    find / | grep test.php
    find / | grep red.php
    Just a heads up.
    -Joe @ Secure Dragon LLC.
    + OpenVZ Powered by Wyvern | KVM | cPanel Hosting | Backup VPSs | LowEndBoxes | DDOS Protection
    + Florida | Colorado | Illinois | California | Oregon | North Carolina | New Jersey | Arizona | Texas

  12. #37
    Join Date
    May 2009
    Location
    United Kingdom
    Posts
    1,322
    Thanks for the heads up Joe!
    Zomex & Template Genie ~ In business since 2009 and still going strong!
    █ #1 Responsive Web hosting templates | WHMCS | Wordpress | HTML5 | Settings area
    █ A 5 step guide on > how to start a web hosting reseller business

  13. #38
    The attackers keep trying to exploit our WHMCS, a couple of tickets a week. Unfortunately for them it was patched from day one of the exploit. I have had to disable them and allow they for clients only.

    - Ashton
    Ashton Allen | FuseWeb Limited
    Premium UK Webhosting
    | Shared Hosting | VPS | Reseller Hosting | VOIP |
    FuseWeb.co.uk Or follow us on Twitter

  14. #39
    Join Date
    Aug 2009
    Location
    LAX, DAL, MIA
    Posts
    3,309
    We get about 5 of these tickets a day. Patched it the day the email was received from WHMCS about it. It's most likely going to be an on-going issue (Receiving the emails meaning) for a couple of months until they realize all of the legitimate WHMCS setups have been patched.
    〓〓 QuadraNet ├ CLOUD ├ DEDICATED ├ COLOCATION
    〓〓 Locations: Los Angeles, Dallas and Miami!!
    〓〓 andrew.moore[at]quadranet.com
    〓〓 http://www.QuadraNet.com

  15. #40
    Join Date
    Dec 2004
    Posts
    484
    Quote Originally Posted by almanox View Post
    Disabling php tag has been one of the security features of smarty templates for years. Weird it created issues just now. I used to believe it was disabled in such serious projects as billing systems but seems like it was not at least in email/ticket parsing code.
    I do not think the vulnerability is in the ticket code itself, but elsewhere.

    A patch has been released recently, for an issue that allows any local file on the webserver to be displayed/interpreted as template file.

    So I assume the ticket facility is merely used as a way to get a file uploaded, that is later executed by using the vulnerability.

    Be aware that there may be other ways for an attacker to get a file uploaded on your system (e.g. through another website hosted on the same webserver).
    So people should not assume they are secure because they disabled their ticket system, or set it to "customers only"
    Make sure you applied the patch instead.


    BTW it seems WHMCS uses {php} in their own templates as well:

    Code:
    $ grep -R "{php}" *
    orderforms/boxes/products.tpl:{php}
    orderforms/boxes/configureproductdomain.tpl:www. <input type="text" name="sld[2]" size="40" value="{$sld}" /> . <input type="text" name="tld[2]" size="7" value="{php}
    So disabling code execution in smarty, might break legitimate functionality.

  16. #41
    Join Date
    Oct 2009
    Location
    Chicago, Illinois
    Posts
    60
    Alright, this is whats up.

    Most of you have been getting these, and don't know what is happening.

    First of all, run through all of your logs, check IP's of admins logged, and actions executed.

    This exploit was around before the patch was even up, so most people have been compromised before they even patched it.

    Patching this, doesn't mean you are now safe and secure. What I have been seeing mostly is that the hackers have exploited and injected a backdoor page. This page can be ANYWHERE on your website. It is a page that decrypts your admin password, and pretty much anything in your system.

    The solutions:
    EASIEST: Backup your database, and DELETE EVERYTHING from your public_html to make sure you delete the backdoor file that was injected. Then download the newest most stable release of WHMCS, and attach it to your DB. Make sure to change ALL PASSWORDS. That includes admin, sql passwords, sql username passwords, ect.. Also change your database name and username that connects to the database. This will make sure that the backdoors have been deleted and you are now up-to-date with new passwords, and all the patched files. Lastly, if you have regular index.php files on your web server that is not attached to WHMCS, look through those files carefully for any of the possible injected code.


    The second option is just much more painful. This would include looking through every single file in your system and every single folder to find any compromised files.

    Hope this helps.

  17. #42
    Join Date
    Oct 2002
    Location
    Middle Dearth
    Posts
    21,256
    Quote Originally Posted by Maxnet View Post
    A patch has been released recently, for an issue that allows any local file on the webserver to be displayed/interpreted as template file.
    That exploit was patched a while back, this eval exploit is much newer and patched on Dec 1.
    Quote Originally Posted by djeuro View Post
    This exploit was around before the patch was even up, so most people have been compromised before they even patched it.
    Hard to patch before the exploit was found.
    Having problems, or maybe questions about WHT? Head over to the help desk!

  18. #43
    Join Date
    Oct 2009
    Location
    Chicago, Illinois
    Posts
    60
    Quote Originally Posted by bear View Post
    That exploit was patched a while back, this eval exploit is much newer and patched on Dec 1.

    Hard to patch before the exploit was found.
    Well yes it's hard to patch it before exploit is found, that's why I just explained the steps to take now instead of saying people should have found it before the actual patch.

  19. #44
    Join Date
    Nov 2004
    Location
    Australia
    Posts
    1,599
    Quote Originally Posted by djeuro View Post
    This exploit was around before the patch was even up, so most people have been compromised before they even patched it.
    Thanks for your post.

    Actually it would be extremely helpful if you could be more explicit about what signs of hacking to look for. It should be possible to use "grep -r" to find exploits if we know what to look for, for example, iframes etc.

  20. #45
    Join Date
    Oct 2009
    Location
    Chicago, Illinois
    Posts
    60
    Quote Originally Posted by brianoz View Post
    Thanks for your post.

    Actually it would be extremely helpful if you could be more explicit about what signs of hacking to look for. It should be possible to use "grep -r" to find exploits if we know what to look for, for example, iframes etc.
    I am actually more than willing to share the whole script with you guys since one of my sites were injected with this. The more we can see about it, the more we can patch.

    Contact me over PM.

  21. #46
    Join Date
    Feb 2003
    Location
    Cumbernauld, Scotland, UK
    Posts
    734
    Part of the next issue is users of WHMCS wanting to prevent these one-off Support Tickets
    The exploiter assumes each new client will be closed / deleted, so a new one is created each time
    Now my solution will not suit everyone, and equally WHMCS have removed it
    It is quite restrictive, but so far so good

    If you are experiencing this, then you have a setup that allows a visitor to register as a new client WITHOUT ordering
    They can then submit a new Support Ticket
    Disable the register option in the Settings (as this is on by default)

    When visitors visit the register link they are now met by a Not Allowed message
    You can then go one step further and remove the text and link to register.php
    The disadvantage is that a new customer has to place an order, but why else would a new customer register?
    A visitor can then continue to contact you via the Sales link, as yet noone seems to have reported the exploit through this link
    M8 INTERNET : Simple and cost effective website hosting from the UK
    M8 INTERNET : Google Ads Account Management

  22. #47
    I have patched my WHMCS, hopefully will upgrade to 5.0 soon.

  23. #48
    Join Date
    Oct 2009
    Location
    Chicago, Illinois
    Posts
    60
    Quote Originally Posted by m8internet View Post
    Part of the next issue is users of WHMCS wanting to prevent these one-off Support Tickets
    The exploiter assumes each new client will be closed / deleted, so a new one is created each time
    Now my solution will not suit everyone, and equally WHMCS have removed it
    It is quite restrictive, but so far so good

    If you are experiencing this, then you have a setup that allows a visitor to register as a new client WITHOUT ordering
    They can then submit a new Support Ticket
    Disable the register option in the Settings (as this is on by default)

    When visitors visit the register link they are now met by a Not Allowed message
    You can then go one step further and remove the text and link to register.php
    The disadvantage is that a new customer has to place an order, but why else would a new customer register?
    A visitor can then continue to contact you via the Sales link, as yet noone seems to have reported the exploit through this link
    Actually those were my settings since 2009, yet I was compromised when a user injected me as a guest.

    So yes, that is the exploit around, you can still be compromised even though they submit it as a guest.

  24. #49
    Join Date
    Oct 2009
    Location
    Chicago, Illinois
    Posts
    60
    Quote Originally Posted by blueriverhost View Post
    I have patched my WHMCS, hopefully will upgrade to 5.0 soon.
    Please read my post. Patching doesn't necesarilly mean you're safe.

  25. #50
    Join Date
    Oct 2002
    Location
    Middle Dearth
    Posts
    21,256
    Quote Originally Posted by djeuro View Post
    I am actually more than willing to share the whole script with you guys since one of my sites were injected with this. The more we can see about it, the more we can patch.
    Is it really a good idea to be spreading the exploit code at all? All you do is potentially hand it over to someone that might try it against someone. Might want to rethink this.
    Having problems, or maybe questions about WHT? Head over to the help desk!

Page 2 of 8 FirstFirst 12345 ... LastLast

Similar Threads

  1. Replies: 3
    Last Post: 12-27-2011, 10:32 PM
  2. Replies: 0
    Last Post: 11-12-2010, 08:26 PM
  3. Replies: 3
    Last Post: 10-28-2010, 01:15 PM
  4. Replies: 1
    Last Post: 09-20-2010, 03:40 PM
  5. Replies: 0
    Last Post: 09-12-2010, 02:50 AM

Related Posts from theWHIR.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •