Results 1 to 7 of 7
  1. #1
    Join Date
    Feb 2013
    Posts
    602

    WHMCS 5.2.8 Critical Bug Fix

    Hello,

    How did you found out, if your database was compromised through this bug ?

    Is there any way to detect this ?
    Mark
    IT / software / infrastructure / security projectist.
    Specializing in datacenter environments and threat mitigation.
    Your success, is our success !

  2. #2
    Join Date
    Jun 2011
    Posts
    2,286
    Another way to check is via the Activity Log. This can be accessed via the admin area by navigating to Utilities > Logs > Activity Log. Again here you're looking for any references that contain the keyword "AES_ENCRYPT". If you see them, then somebody has attempted to use the exploit on your system.
    http://blog.whmcs.com/?t=79527

  3. #3
    Join Date
    Jan 2003
    Location
    SLC
    Posts
    2,058
    Look at your newest users (especially ones with no services)

    Note: if you were running the latest mod security rules from got root you were in no danger
    Lowest Host/Empire Technology LLC
    Offering Quality Shared, Reseller, VPS servers, and Dedicated Servers
    24x7 Tech Support http://empire-hosting.net
    XEN Servers Now http://xenserversnow.com - Budget XEN VPS /

  4. #4
    Join Date
    Mar 2006
    Location
    Servers
    Posts
    1,588
    Search WHMCS activity log for:

    AES_ENCRYPT

    Also install mod_security with latest Atomic rules , they have the rule blocking this WHMCS exploit.
    QHoster.com - Web Hosting with DDoS Protection | Shared & Reseller in Europe/North America
    Linux/Windows RDP VPS 13 Locations : UK, US (5 states), Mexico, Canada, Bulgaria, Lithuania,
    Italy, France, Germany,Netherlands, Switzerland, Rissia, Singapore | OpenVPN/PPTP Enabled
    INSTANT | PayPal, Skrill, Payza, Bitcoin, WebMoney, Perfect Money, Ukash, CashU, paysafecard

  5. #5
    Join Date
    Nov 2009
    Location
    /etc/my.cnf
    Posts
    10,039
    Quote Originally Posted by HostingBig View Post
    Look at your newest users (especially ones with no services)

    Note: if you were running the latest mod security rules from got root you were in no danger
    I would believe that is incorrect the Mod_Security rule only seems to be covering the name fields as per the disclosed POC not all of them.

  6. #6
    Join Date
    Jan 2003
    Location
    SLC
    Posts
    2,058
    I would believe that is incorrect
    Hacked our own site
    with the exploit only thing accessible was the user info 403 denied for the sql injection.

    you would still see the attempt "AES_ENCRYPT" in the WHMCS logs
    Lowest Host/Empire Technology LLC
    Offering Quality Shared, Reseller, VPS servers, and Dedicated Servers
    24x7 Tech Support http://empire-hosting.net
    XEN Servers Now http://xenserversnow.com - Budget XEN VPS /

  7. #7
    Join Date
    Nov 2009
    Location
    /etc/my.cnf
    Posts
    10,039
    Quote Originally Posted by HostingBig View Post
    Hacked our own site
    with the exploit only thing accessible was the user info 403 denied for the sql injection.

    you would still see the attempt "AES_ENCRYPT" in the WHMCS logs
    As others have pointed out and also across other mediums with a modified POC the mod security rules become useless based sole on the name profile fields.

Similar Threads

  1. PHP 5.3.9 Critical Bug - Patch now
    By Ramprage in forum Hosting Security and Technology
    Replies: 62
    Last Post: 02-08-2012, 01:07 PM
  2. Please help me fix this z-index bug
    By ThatScriptGuy in forum Web Design and Content
    Replies: 10
    Last Post: 07-10-2010, 11:25 PM
  3. CSS bug how to fix this?
    By w3bdesign in forum Web Design and Content
    Replies: 3
    Last Post: 08-27-2007, 11:00 AM
  4. How to fix Drive Critical
    By vietkool in forum Hosting Security and Technology
    Replies: 13
    Last Post: 12-14-2004, 12:13 AM
  5. IS There is a way to fix CGI BUG!??
    By hostcost in forum Hosting Security and Technology
    Replies: 1
    Last Post: 06-24-2003, 08:20 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •