Results 1 to 8 of 8
  1. #1
    Join Date
    Nov 2002
    Location
    Portland, Oregon
    Posts
    2,992

    WHMCS Please God Not Again

    WHMCS Internet.bs Domain Syncronisation Report
    Internet.bs Domain Sync Report
    ---------------------------------------------------
    Error connecting to API:
    transactid=9ec06060409c823*****59c8fd31
    status=FAILURE
    message=Invalid API key and/or Password
    code=107002



    There's more.
    And none of them are spelled correctly.
    And this was in just the last few minutes.

    I certainly didn't just turn these on from the clear blue.....

    Already pulled WHMCS. @Steven...? I'll pay, do whatever it takes, just tell me this is somehow a false-pos.
    Attached Thumbnails Attached Thumbnails noooooooooooo.png  

  2. #2
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Check your access logs, and see whats going on there.
    We have not heard/seen anything yet.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  3. #3
    Join Date
    Nov 2002
    Location
    Portland, Oregon
    Posts
    2,992
    I'm on it. I happened to kill the maillog I was watching precisely when these looked to have come through and there is definitely something weird there. Coming through access logs now... More as I have accurate info...

  4. #4
    Join Date
    Dec 2010
    Location
    127.0.0.1
    Posts
    5,732
    I'd be very worried if that happened to me, modules don't just turn themselves on . Keep us updated mate.

  5. #5
    Join Date
    Sep 2010
    Location
    /usr/bin/fail
    Posts
    859
    To increase security I'd suggest deleting the files for any modules you are not actively using. Less attack surface for them to try and exploit.

  6. #6
    Join Date
    Nov 2002
    Location
    Portland, Oregon
    Posts
    2,992
    I've been glued to the syslogs for almost 12 hours straight now, but that's no different than any other day

    Good news is I haven't found anything unusual in the access logs for my WHMCS domain. There have been no modifications to the DB -- the last client that was in there, I know personally, and that was about 45 minutes before I posted this thread -- I did have WHMCS offline for a good half of last night, but it was just for a logfile audit and I didn't make any changes.

    The "blah" news is that something kicked off the cron, so I'm checking that area now. There was no activity (in the logs) indicative of intrusion ... but still .. this was something -- and I've got production down to three publicly accessed areas.

    @Steven, will be PMing shortly after I check out what I did find, and it's not something I see often. Speak soon, going as fast as I can while making sure I don't overlook. More shortly.

  7. #7
    Join Date
    Nov 2002
    Location
    Portland, Oregon
    Posts
    2,992
    After looking around further this doesn't appear to be directly involving WHMCS. I believe that one of the antimalware programs I run alongside CXS received an update which ran and it may be that certain file checks have been changed -- and possibly invoked crons/domainsync.php somehow. I've pulled antimalware from the machine and there's been no suspicious activity in the logs since then. I'll have to consider a different way to confirm this without involving WHMCS or putting anyone at risk.

    During this research I did find a client's WP install included a a recent WooCommerce plugin with some questionable source code. Research led me to an XSS vuln in the same version, with a PoC release timestamp of 10/20/13. Breakin' out the backups from last week and

    With that said, I think it might be a good idea to change the name of this thread to "Monitoring WHMCS Activity" or the like. I don't want to be responsible for creating more widespread panic or long threads. I'll continue to watch the logs for abnormalities and report anything unusual, but if there were no hints of anything coming down the line. If anyone has the desire to try and replicate this, I'll share a semi-redacted copy of the logs from this morning as a comparison.


    Don't go and pull your WHMCS's just yet, even if you're as paranoid as I can sometimes be. I'm hoping I jumped the gun -- and that everybody understands that I was only trying to get ahead of anything that might be on it's way down to others, and so we could go through our weekly admin folder move routine before much damage was done.

    Still, though, I've worked too hard and slept too little the past two years to let myself become so nervous that my WHMCS is nothing more than a really expensive payment gateway, so I think I'll have to get cracking on a migration strategy more sooner than later.

    As of 12:40pm -- no repeats. Go watch Fox News -- they just got hacked.
    Go there and forget about this thread.....

  8. #8
    Join Date
    Dec 2010
    Location
    127.0.0.1
    Posts
    5,732
    Better to be safe than sorry mate.

Similar Threads

  1. Replies: 3
    Last Post: 12-27-2011, 10:32 PM
  2. God bless for WHMCS and Matt
    By nehajain in forum Hosting Software and Control Panels
    Replies: 16
    Last Post: 01-27-2011, 01:03 AM
  3. Replies: 0
    Last Post: 11-12-2010, 08:26 PM
  4. Replies: 0
    Last Post: 09-12-2010, 02:50 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •