Results 1 to 9 of 9
  1. #1
    Join Date
    Jun 2010
    Location
    Kandy
    Posts
    1,068

    WHMCS activity log shows SQL Queries being Executed

    Hello,

    today when i review the whmcs logs, i found that some logs are showing some SQL queries executed on admin table.

    Can you pls review the attached log screen shot weather this is a hacking attempt or not

    i see some new clients has been created with the names mentioned in the attached log. but the accounts were not activated.
    Attached Thumbnails Attached Thumbnails screenshot.jpg  

  2. #2
    Join Date
    Oct 2003
    Location
    Scotland, UK
    Posts
    2,900
    Yes, it's a hacking attempt. But as long as you added the recent WHT patch, you are fine. And those people will just look silly with silly long names.

    (you should probably delete them and ban their IPs)
    Alasdair

  3. #3
    Join Date
    Jun 2010
    Location
    Kandy
    Posts
    1,068
    Quote Originally Posted by tickedon View Post
    Yes, it's a hacking attempt. But as long as you added the recent WHT patch, you are fine. And those people will just look silly with silly long names.

    (you should probably delete them and ban their IPs)
    Thanks ticko for the answer.
    yes i updated to 5.2.8 immediately after that patch released few days ago. glad that no halm is done it look like
    also black listed the ip.


  4. #4
    Join Date
    Jun 2010
    Location
    Kandy
    Posts
    1,068
    i also had installed mode security. but i do not see any mode sec logs against this domain

  5. #5
    Join Date
    Nov 2009
    Location
    /etc/my.cnf
    Posts
    10,039
    Quote Originally Posted by kandyjet View Post
    Hello,

    today when i review the whmcs logs, i found that some logs are showing some SQL queries executed on admin table.

    Can you pls review the attached log screen shot weather this is a hacking attempt or not

    i see some new clients has been created with the names mentioned in the attached log. but the accounts were not activated.
    Disable user registrations Via the "register.php" page and also disable the client profile fields it will help keep you at bay till the storm passes over.
    Ensure your installation is upto date.

  6. #6
    Join Date
    Jun 2010
    Location
    Kandy
    Posts
    1,068
    Quote Originally Posted by kandyjet View Post
    i also had installed mode security. but i do not see any mode sec logs against this domain
    sorry, just found that mode_security i have enabled for all the cpanel accounts except the root domain (for some reason i had turned off but forgot to put back later)
    so mode_security is not to blame.

  7. #7
    Join Date
    Jun 2010
    Location
    Kandy
    Posts
    1,068
    Quote Originally Posted by cd/home View Post
    Disable user registrations Via the "register.php" page and also disable the client profile fields it will help keep you at bay till the storm passes over.
    Ensure your installation is upto date.
    hai cd/home,

    you mean to edit the register.php or any option in whmcs to turn off user registration?

  8. #8
    Join Date
    Nov 2009
    Location
    /etc/my.cnf
    Posts
    10,039
    Quote Originally Posted by kandyjet View Post
    hai cd/home,

    you mean to edit the register.php or any option in whmcs to turn off user registration?
    Yes turn off user registration:

    Setup > General Settings > Other

    Within that page untick "Allow Client Registration" while your on the page lock down the client profile fields this will prevent them being changed within the client area for the boxes selected just select them all for the time being if any client needs to update his/her details they can just email the sales department it helps prevent this exploit being tried on you continuously.

    You can go the extra step and completely remove the "register.php" page from your WHMCS installation if you wish to disable it permanently. However affiliates will need to contact the sales department for manual registration this way they can actually be correctly verified as genuine.

  9. #9
    Join Date
    Jun 2010
    Location
    Kandy
    Posts
    1,068
    Quote Originally Posted by cd/home View Post
    Yes turn off user registration:

    Setup > General Settings > Other

    Within that page untick "Allow Client Registration" while your on the page lock down the client profile fields this will prevent them being changed within the client area for the boxes selected just select them all for the time being if any client needs to update his/her details they can just email the sales department it helps prevent this exploit being tried on you continuously.

    You can go the extra step and completely remove the "register.php" page from your WHMCS installation if you wish to disable it permanently. However affiliates will need to contact the sales department for manual registration this way they can actually be correctly verified as genuine.
    Thanks buddy, i just did what you sad!

Similar Threads

  1. Log SSH activity/ Keylogger
    By Kusai in forum Hosting Security and Technology
    Replies: 3
    Last Post: 10-10-2009, 05:45 PM
  2. Highly Suspicious Activity - Log Files
    By feelgood2k in forum Hosting Security and Technology
    Replies: 4
    Last Post: 12-18-2007, 06:18 PM
  3. Weird Log Activity
    By smkied in forum VPS Hosting
    Replies: 3
    Last Post: 04-07-2007, 08:22 PM
  4. Log user activity.
    By Carlton in forum Hosting Security and Technology
    Replies: 5
    Last Post: 09-16-2006, 08:27 PM
  5. [PHP] # of queries executed in #.## seconds
    By Tekster in forum Programming Discussion
    Replies: 6
    Last Post: 12-29-2005, 03:22 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •