Results 1 to 8 of 8
Thread: WHMCS Please God Not Again
-
11-05-2013, 12:43 PM #1Mostly Retired!
- Join Date
- Nov 2002
- Location
- Portland, Oregon
- Posts
- 2,992
WHMCS Please God Not Again
WHMCS Internet.bs Domain Syncronisation Report
Internet.bs Domain Sync Report
---------------------------------------------------
Error connecting to API:
transactid=9ec06060409c823*****59c8fd31
status=FAILURE
message=Invalid API key and/or Password
code=107002
There's more.
And none of them are spelled correctly.
And this was in just the last few minutes.
I certainly didn't just turn these on from the clear blue.....
Already pulled WHMCS. @Steven...? I'll pay, do whatever it takes, just tell me this is somehow a false-pos.
-
11-05-2013, 12:45 PM #2Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Check your access logs, and see whats going on there.
We have not heard/seen anything yet.Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
11-05-2013, 12:47 PM #3Mostly Retired!
- Join Date
- Nov 2002
- Location
- Portland, Oregon
- Posts
- 2,992
I'm on it. I happened to kill the maillog I was watching precisely when these looked to have come through and there is definitely something weird there. Coming through access logs now... More as I have accurate info...
-
11-05-2013, 12:52 PM #4Disabled
- Join Date
- Dec 2010
- Location
- 127.0.0.1
- Posts
- 5,732
I'd be very worried if that happened to me, modules don't just turn themselves on . Keep us updated mate.
-
11-05-2013, 01:08 PM #5Web Hosting Master
- Join Date
- Sep 2010
- Location
- /usr/bin/fail
- Posts
- 859
To increase security I'd suggest deleting the files for any modules you are not actively using. Less attack surface for them to try and exploit.
-
11-05-2013, 01:37 PM #6Mostly Retired!
- Join Date
- Nov 2002
- Location
- Portland, Oregon
- Posts
- 2,992
I've been glued to the syslogs for almost 12 hours straight now, but that's no different than any other day
Good news is I haven't found anything unusual in the access logs for my WHMCS domain. There have been no modifications to the DB -- the last client that was in there, I know personally, and that was about 45 minutes before I posted this thread -- I did have WHMCS offline for a good half of last night, but it was just for a logfile audit and I didn't make any changes.
The "blah" news is that something kicked off the cron, so I'm checking that area now. There was no activity (in the logs) indicative of intrusion ... but still .. this was something -- and I've got production down to three publicly accessed areas.
@Steven, will be PMing shortly after I check out what I did find, and it's not something I see often. Speak soon, going as fast as I can while making sure I don't overlook. More shortly.
-
11-05-2013, 04:42 PM #7Mostly Retired!
- Join Date
- Nov 2002
- Location
- Portland, Oregon
- Posts
- 2,992
After looking around further this doesn't appear to be directly involving WHMCS. I believe that one of the antimalware programs I run alongside CXS received an update which ran and it may be that certain file checks have been changed -- and possibly invoked crons/domainsync.php somehow. I've pulled antimalware from the machine and there's been no suspicious activity in the logs since then. I'll have to consider a different way to confirm this without involving WHMCS or putting anyone at risk.
During this research I did find a client's WP install included a a recent WooCommerce plugin with some questionable source code. Research led me to an XSS vuln in the same version, with a PoC release timestamp of 10/20/13. Breakin' out the backups from last week and
With that said, I think it might be a good idea to change the name of this thread to "Monitoring WHMCS Activity" or the like. I don't want to be responsible for creating more widespread panic or long threads. I'll continue to watch the logs for abnormalities and report anything unusual, but if there were no hints of anything coming down the line. If anyone has the desire to try and replicate this, I'll share a semi-redacted copy of the logs from this morning as a comparison.
Don't go and pull your WHMCS's just yet, even if you're as paranoid as I can sometimes be. I'm hoping I jumped the gun -- and that everybody understands that I was only trying to get ahead of anything that might be on it's way down to others, and so we could go through our weekly admin folder move routine before much damage was done.
Still, though, I've worked too hard and slept too little the past two years to let myself become so nervous that my WHMCS is nothing more than a really expensive payment gateway, so I think I'll have to get cracking on a migration strategy more sooner than later.
As of 12:40pm -- no repeats. Go watch Fox News -- they just got hacked.
Go there and forget about this thread.....
-
11-05-2013, 04:53 PM #8Disabled
- Join Date
- Dec 2010
- Location
- 127.0.0.1
- Posts
- 5,732
Better to be safe than sorry mate.
Similar Threads
-
WHMCS INTEGRATION - WHMCS UPGRADE - WHMCS INSTALLL - WHMCS CONFIGURATION <-- HOT!!!
By Dustin B Cisneros in forum Design OffersReplies: 3Last Post: 12-27-2011, 10:32 PM -
God bless for WHMCS and Matt
By nehajain in forum Hosting Software and Control PanelsReplies: 16Last Post: 01-27-2011, 01:03 AM -
WHMCS Integration - WHMCS Services- WHMCS Install - WHMCS Upgrade- WHMCSconfiguration
By Dustin B Cisneros in forum Design OffersReplies: 0Last Post: 11-12-2010, 08:26 PM -
WHMCS Integration - WHMCS Services - WHMCS Upgrade - WHMCS Configuration -WHMCS
By Dustin B Cisneros in forum Design OffersReplies: 0Last Post: 09-12-2010, 02:50 AM