Results 1 to 7 of 7
  1. #1
    Join Date
    Feb 2013
    Posts
    657

    WHMCS 5.2.8 Critical Bug Fix

    Hello,

    How did you found out, if your database was compromised through this bug ?

    Is there any way to detect this ?
    IT
    Is Nice.

  2. #2
    Join Date
    Jun 2011
    Location
    USA/UK/SG
    Posts
    3,643
    Another way to check is via the Activity Log. This can be accessed via the admin area by navigating to Utilities > Logs > Activity Log. Again here you're looking for any references that contain the keyword "AES_ENCRYPT". If you see them, then somebody has attempted to use the exploit on your system.
    http://blog.whmcs.com/?t=79527
    ~]# Ethernet Servers Ltd - Est. 2014! - sales @ ethernetservers.com
    ~]# Try out our WordPress speed tests for yourself!
    ~]# NVMe Web Hosting | Unmanaged VPS | Fully Managed VPS | Dedicated Servers | Domain Names
    ~]# Don't settle for any less than the very best - come & join our family today!

  3. #3
    Join Date
    Jan 2003
    Location
    SLC
    Posts
    2,278
    Look at your newest users (especially ones with no services)

    Note: if you were running the latest mod security rules from got root you were in no danger

  4. #4
    Join Date
    Mar 2006
    Location
    Servers
    Posts
    1,590
    Search WHMCS activity log for:

    AES_ENCRYPT

    Also install mod_security with latest Atomic rules , they have the rule blocking this WHMCS exploit.
    QHoster.com - Web Hosting with DDoS Protection | Shared & Reseller in Europe/North America
    Linux/Windows RDP VPS 13 Locations : UK, US (5 states), Mexico, Canada, Bulgaria, Lithuania,
    Italy, France, Germany,Netherlands, Switzerland, Rissia, Singapore | OpenVPN/PPTP Enabled
    INSTANT | PayPal, Skrill, Payza, Bitcoin, WebMoney, Perfect Money, Ukash, CashU, paysafecard

  5. #5
    Join Date
    Nov 2009
    Location
    /etc/my.cnf
    Posts
    10,657
    Quote Originally Posted by HostingBig View Post
    Look at your newest users (especially ones with no services)

    Note: if you were running the latest mod security rules from got root you were in no danger
    I would believe that is incorrect the Mod_Security rule only seems to be covering the name fields as per the disclosed POC not all of them.

  6. #6
    Join Date
    Jan 2003
    Location
    SLC
    Posts
    2,278
    I would believe that is incorrect
    Hacked our own site
    with the exploit only thing accessible was the user info 403 denied for the sql injection.

    you would still see the attempt "AES_ENCRYPT" in the WHMCS logs

  7. #7
    Join Date
    Nov 2009
    Location
    /etc/my.cnf
    Posts
    10,657
    Quote Originally Posted by HostingBig View Post
    Hacked our own site
    with the exploit only thing accessible was the user info 403 denied for the sql injection.

    you would still see the attempt "AES_ENCRYPT" in the WHMCS logs
    As others have pointed out and also across other mediums with a modified POC the mod security rules become useless based sole on the name profile fields.
    UK Based Proactive Server Management.
    Zabbix Enterprise 24/7 Monitoring.

Similar Threads

  1. PHP 5.3.9 Critical Bug - Patch now
    By Ramprage in forum Hosting Security and Technology
    Replies: 62
    Last Post: 02-08-2012, 01:07 PM
  2. Please help me fix this z-index bug
    By ThatScriptGuy in forum Web Design and Content
    Replies: 10
    Last Post: 07-10-2010, 11:25 PM
  3. CSS bug how to fix this?
    By w3bdesign in forum Web Design and Content
    Replies: 3
    Last Post: 08-27-2007, 11:00 AM
  4. How to fix Drive Critical
    By vietkool in forum Hosting Security and Technology
    Replies: 13
    Last Post: 12-14-2004, 12:13 AM
  5. IS There is a way to fix CGI BUG!??
    By hostcost in forum Hosting Security and Technology
    Replies: 1
    Last Post: 06-24-2003, 08:20 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •