Results 1 to 19 of 19
  1. #1

    Exclamation [My] WHMCS Compromised

    Hello

    Today I try to login my WHMCS and realise that the login is no longer working, so I logged into my database and find my username has changed.

    I had already created a support ticket to WHMCS requesting to carry out a Security Audit on my site, but so far I have not received any reply back, this is why I post here for quick response.

    The administrator username had changed to 'dzaso', by doing a simple Google search of the term 'dzaso whmcs', I was able to find the user 'dzaso' researching 'WHMCS config' hacking.

    I am not sure what to do, should I reset the username via database and carry out these steps: http://docs.whmcs.com/Further_Security_Steps or let the security audit take place by WHMCS first before making any changes?

    Would appreciate everyones help.

    Thanks.

  2. #2
    Join Date
    Oct 2004
    Location
    Oneida, NY
    Posts
    2,842
    Quote Originally Posted by dCode View Post
    Those should have been done in the first place... So I'd definitely recommend doing that - and then contacting your system administrator to find out how they got in.
    Nick Hudson - Prevail Host LLC - http://www.prevail.host/
    Premium Quality cPanel Hosting Services - CloudLinux, LiteSpeed & SSD
    WHMControl - Secure Your Server Logins & Automate Password Changes

  3. #3
    Quote Originally Posted by Nick H View Post
    Those should have been done in the first place... So I'd definitely recommend doing that - and then contacting your system administrator to find out how they got in.
    Yes, I am aware of that, but took it too lightly. By 'System Administrator' do you mean WHMCS or my host? I had already contacted my host and they performed a full audit and everything seems to be clear.

    Also, how may I obtain system logs through ftp?

    Thanks.

  4. #4
    Join Date
    May 2010
    Location
    Planet Earth
    Posts
    1,588
    Quote Originally Posted by dCode View Post
    Yes, I am aware of that, but took it too lightly. By 'System Administrator' do you mean WHMCS or my host? I had already contacted my host and they performed a full audit and everything seems to be clear.

    Also, how may I obtain system logs through ftp?

    Thanks.
    It will better to contact your host so that they can pull the system logs and it will tell how the hacker got access to DB.
    Modelwebhost.com
    [US/UK] Shared Hosting, Reseller Hosting, Master Reseller Hosting
    WHMReseller | Softaculous | WHMCS | Dedicated IP | SSL
    We accept Paypal, 2checkout, Credit Cards, Payza, OKPAY and Bank payments

  5. #5
    Join Date
    Jun 2011
    Posts
    2,286
    What version of WHMCS were you running when you got hacked?

  6. #6
    Join Date
    Sep 2005
    Location
    San Diego, California
    Posts
    865
    It's important to determine the source of the attack so you can take appropriate action to prevent a similar attack in the future.

    Since the attacker gained access to your WHMCS, it's likely the attacker had access to modify files or other entries in your database. I would recommend doing a clean install of WHMCS to remove the possibility of any backdoors lingering around.
    Othio Hosting - Private-Label cPanel Reseller Hosting
    True 24x7 Support | SSD Storage | cPanel+WHM | R1Soft Backups

  7. #7
    Join Date
    Apr 2013
    Location
    Data center
    Posts
    539
    Do you have any backups to roll back to?

  8. #8
    Join Date
    Dec 2007
    Location
    LocalHost
    Posts
    1,303
    After WHMCS is hacked:
    ------------------------
    1) Change all passwords (cPanel / WHMCS admins ).

    2) Delete all files except configuration.php

    3) Uploaded fresh WHMCS files.

    4) Add a new database user to your WHMCS database. And delete old database user. Now update this new database user in configuration.php

    5) Perform security steps mentioned here http://docs.whmcs.com/Further_Security_Steps

    6) Prefer to keep WHMCS on a separate VPS / subdomain like:
    my.domain.com

    7) Do not install any script (wordpress, joomla etc) on WHMCS cPanel account. You should keep only WHMCS on this cPanel account.
    YagHost - Pure SSD Hosting | Since 2007 | Average Response Time: 15 min
    Web Hosting | Reseller Hosting | Managed VPS Hosting
    99.9% Server Uptime Guarantee | 24/7 Rapid Response Tech Support | 30 Day Money Back Guarantee
    LopHost.com - Web Hosting Tutorials

  9. #9
    Join Date
    Apr 2011
    Location
    Melbourne
    Posts
    93
    Quote Originally Posted by ravi_9793 View Post
    2) Delete all files except configuration.php
    Be sure to inspect the file however. That file was used in one of the recent exploits to inject untrusted code.

  10. #10
    Join Date
    May 2013
    Location
    USA
    Posts
    928
    Keeping up to date with WHMCS security patches, limiting access to the admin folder based on IP address and implementing a robust set of mod_security rules applied to both the request URL and POST data is your best bet to defend against future intrusions.
    ▄▀▄ Brian Harrison, Lead Engineer - Reprise Hosting (AS62838)
    ▄▀▄ Deals on cheap dedicated server hosting. IPMI included! Unmetered bandwidth.
    ▄▀▄ Website migration, 24/7/365 support, basic server setup, 15 day money back.
    ▄▀▄ Looking for DEALS on self-managed cheap VPS hosting? Visit VPSHostingDEAL.com

  11. #11
    Join Date
    Dec 2012
    Location
    .ssh
    Posts
    976
    If your on a shared host and not an isolated server or vps, then it most likely is a shell script or compromise of the main node.

    Give us more info but if it is a shared host server, lesson learnt

  12. #12
    Join Date
    May 2010
    Location
    Planet Earth
    Posts
    1,588
    Quote Originally Posted by BrianHarrison View Post
    Keeping up to date with WHMCS security patches, limiting access to the admin folder based on IP address and implementing a robust set of mod_security rules applied to both the request URL and POST data is your best bet to defend against future intrusions.
    And WHT is your best friend. Whenever, a patch or maintenance release is issued, a thread is created right after few minutes. So, keep an eye on hosting software and control panel forum too.
    Modelwebhost.com
    [US/UK] Shared Hosting, Reseller Hosting, Master Reseller Hosting
    WHMReseller | Softaculous | WHMCS | Dedicated IP | SSL
    We accept Paypal, 2checkout, Credit Cards, Payza, OKPAY and Bank payments

  13. #13
    In addition to above suggestion, if you are WHMCS installation is hosted on shared hosting server, make sure that the shared hosting server is also secure.
    || Web Hosting Blog - Web Hosting security & latest web hosting industry Announcements
    || Web Hosting Discussion - A Web Hosting community

  14. #14
    Quote Originally Posted by ravi_9793 View Post
    After WHMCS is hacked:
    ------------------------
    1) Change all passwords (cPanel / WHMCS admins ).

    2) Delete all files except configuration.php

    3) Uploaded fresh WHMCS files.

    4) Add a new database user to your WHMCS database. And delete old database user. Now update this new database user in configuration.php

    5) Perform security steps mentioned here http://docs.whmcs.com/Further_Security_Steps

    6) Prefer to keep WHMCS on a separate VPS / subdomain like:
    my.domain.com

    7) Do not install any script (wordpress, joomla etc) on WHMCS cPanel account. You should keep only WHMCS on this cPanel account.
    +1 very good advice.

    Quote Originally Posted by Kailash12 View Post
    In addition to above suggestion, if you are WHMCS installation is hosted on shared hosting server, make sure that the shared hosting server is also secure.
    Best to host it on VPS.

  15. #15
    Join Date
    Jan 2011
    Posts
    290
    I thought whmcs released the patch which fixed all that hacking issue but still it is compromised?
    Failure is success if we learn from it.

  16. #16
    Join Date
    Jun 2011
    Posts
    2,286
    I think one of the prime problems here is that because so many fixes/patches have come out, it can be hard (for those with lots of custom edits specifically) to replace all the patched files correctly.

    We have hundreds of custom edits for both the client area and admin area and it's certainly becoming a pain to see the least.

    Quote Originally Posted by digitallog View Post
    I thought whmcs released the patch which fixed all that hacking issue but still it is compromised?

  17. #17
    Join Date
    Oct 2002
    Location
    State of Disbelief
    Posts
    22,950
    Quote Originally Posted by digitallog View Post
    I thought whmcs released the patch which fixed all that hacking issue but still it is compromised?
    The patches fix the known issues. There could always be something not made public, or this could be a result of an old installation or the server it's on and so on.
    Quote Originally Posted by Ethernet Servers View Post
    I think one of the prime problems here is that because so many fixes/patches have come out, it can be hard (for those with lots of custom edits specifically) to replace all the patched files correctly.
    Most of the patches are to the encoded files, not the templates. Unless you're referring to changes affecting modules you've developed or something of that nature, I don't see what the problem is. Can you explain?
    Having problems, or maybe questions about WHT? Head over to the help desk!

  18. #18
    Join Date
    Apr 2011
    Location
    Core Files
    Posts
    7,790
    Quote Originally Posted by ravi_9793 View Post
    After WHMCS is hacked:
    ------------------------
    1) Change all passwords (cPanel / WHMCS admins ).

    2) Delete all files except configuration.php

    3) Uploaded fresh WHMCS files.

    4) Add a new database user to your WHMCS database. And delete old database user. Now update this new database user in configuration.php

    5) Perform security steps mentioned here http://docs.whmcs.com/Further_Security_Steps

    6) Prefer to keep WHMCS on a separate VPS / subdomain like:
    my.domain.com

    7) Do not install any script (wordpress, joomla etc) on WHMCS cPanel account. You should keep only WHMCS on this cPanel account.

    Also for when you do re-install WHMCS

    8) Delete payment modules not needed. If you only use 1 or 2 modules like paypal or something, delete the rest of them.

    9) If you have the knowledge, only access WHMCS through a secured VPN limited to only that IP address (as listed on WHMCS - Restrict Access by IP). Very important step.

    10) this also connects with #9, ssl for the VPN and WHMCS


    Be paranoid about security at all times. Once your lazy, chances of an issue increases.


    *****Also take a look at your host and how they treat security. No point going through all these steps if your host is a playground to hackers******

  19. #19
    Join Date
    Dec 2007
    Location
    LocalHost
    Posts
    1,303
    Quote Originally Posted by 48-14 View Post
    Also for when you do re-install WHMCS

    8) Delete payment modules not needed. If you only use 1 or 2 modules like paypal or something, delete the rest of them.

    9) If you have the knowledge, only access WHMCS through a secured VPN limited to only that IP address (as listed on WHMCS - Restrict Access by IP). Very important step.

    10) this also connects with #9, ssl for the VPN and WHMCS


    Be paranoid about security at all times. Once your lazy, chances of an issue increases.


    *****Also take a look at your host and how they treat security. No point going through all these steps if your host is a playground to hackers******
    wow.... thats a good additional and very handful tips.
    YagHost - Pure SSD Hosting | Since 2007 | Average Response Time: 15 min
    Web Hosting | Reseller Hosting | Managed VPS Hosting
    99.9% Server Uptime Guarantee | 24/7 Rapid Response Tech Support | 30 Day Money Back Guarantee
    LopHost.com - Web Hosting Tutorials

Similar Threads

  1. Compromised whmcs
    By Gostovanje in forum Hosting Software and Control Panels
    Replies: 29
    Last Post: 11-09-2013, 11:28 AM
  2. Compromised???
    By Chinese Democracy in forum Hosting Security and Technology
    Replies: 4
    Last Post: 04-21-2009, 07:00 PM
  3. WHMCS Breach - some 3.5.1 downloads were compromised [MERGED]
    By David in forum Hosting Security and Technology
    Replies: 177
    Last Post: 01-11-2008, 04:10 PM
  4. compromised?
    By xcpd in forum Hosting Security and Technology
    Replies: 10
    Last Post: 07-17-2005, 09:14 AM
  5. Compromised?
    By fullroast in forum Hosting Security and Technology
    Replies: 1
    Last Post: 10-15-2002, 10:55 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •