New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
No, it has a LOT of background running checks
Im wondering.
WHMCS is a UK company, why are they storing their data in the US?. UK Data Protection act requires data to be in the EU unless for a strong reason.
Oh ok
whcms just redirected me to some groupon deal and now looks like a domain parking pageo 0
There database maybe on a UK server. (As in remote mysql)
It's WHMCS
I doubt that, it would majorly slow it down.
http://www.forbes.com/sites/ciocentral/2012/01/02/can-european-firms-legally-use-u-s-clouds-to-store-data/
Rofl up until now i always thought it was whcms (as for webhosting cms). Thanks for the info
Site's back up now Client area is still down (SSL error).
@Daniel
The problem with the UK Data Protection Act is that if you are only using the data for your own billing records and marketing your own products directly to your own customers along with staff records they you do not even need to register with the ITO nor are you bound by the regulations.
So as long as it is a UK company they can store the data where ever they like as they are not bound by the regulations you are referring too, obviously if they were to sell then that would cause an issue.
Not saying it is good practice but it is legal.
Anyway, Inception Hosting WHMCS offline until further info available.
UK has own set of rules.
Doesn't the Safe Harbor agreement still apply in the uk for EU-US data?
LOL, I never realized music was playing in the background
Looking at http://www.webhostingtalk.com/showpost.php?p=8138038&postcount=88, the rest of the thread, and the situation as a whole...
I come to the following conclusions:
* WHMCS stores admin passwords as UNSALTED MD5 in their database.
* The attacker(s) still had access to the e-mail address of a WHCMS employee that initially allowed for the 'hack', AFTER the compromise was already known - in other words, no effective steps were taken to lock out the attacker.
* The WHMCS.com domain does not make a mention of the compromise, and claims to be 'under maintenance'.
* Judging from the thread, WHMCS users that sent support tickets on the WHCMS site containing login details were NOT urged to change these after the issue was resolved.
* It is apparently possible to take down a WHMCS install by forcing a remote validation check WITHOUT being logged in as an administrator on said WHMCS setup.
* Sensitive customer data was stored at HostGator, a company that is KNOWN to be prone to social engineering.
* Claims were made about 'McAfee Secure', despite it being fairly common knowledge that doesn't mean jackshit in a situation like this, and it doesn't really consist of more than passing an automated scan.
* The database has clearly been downloaded and not a word from WHMCS about this on WHT (http://i.imgur.com/aezT8.png).
* There is apparently no distributed/redundant license validation server in place, meaning every single WHCMS setup can be invalidated by taking down one server and forcing remote checks.
If I were a host using WHMCS, at this point I would probably be exporting my customer database, rm'ing WHMCS, canceling my license, and hiring someone to write a billing panel - or hell, even look for an existing panel that DOES have some proper security in place.
WHMCS also by default stores passwords unhashed and in plain text in the mail log.
Having a single server for the license checking is kind of lame IMHO. Even Solus has several distributed servers for this.
@Jack the whmcs admin password is irrelevant, every admin with half a brain would limit access to their admin folder to only a handful of trusted IPs.
@jack for which they don't need the admin's password at all...
Problem with that is that I have my phone logged in and use it when not at the computer. I can't predict what IP my phone is going to come from.
@Daniel use a VPN ?
I mostly get HSPA+ which a VPN would run on. I live in the middle of no where so some areas I don't get signal, and would be a nightmare to constantly reconnect.
Also I need to come from my networks IP for a lot of services to work.
Isn't it usually from a given range of IPs?
Usually
That would be a stupid wildcard.
At least use squid proxy with password authentication.
Android supports setting HTTP proxies for 3G?
@Daniel no idea, but i hope it does. Maybe worth researching it
Nope, doesn't.
That would be 'trademarked', not 'copyrighted'.
So Matt was using a fully managed Hostgator box with cPanel for something as big and important as WHMCS? That alone is the last straw for me. Blah. Just like SolusVM, I'm probably going to have to write my own and I don't really have time for that shit.
As for you guys talking about pen testing... I wouldn't trust anyone who says they can pen test an encoded script, unless they have the source.
It actually seems reasonable that when running a big website you let others with more epxerience and dedication deal with the hosting stuff.