Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

Woha this guy aint giving up
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Woha this guy aint giving up

MrRapidHostMrRapidHost Member
in General

Maybe some of you have heard of him his called Cyber4rt, that's like the 3rd try and he always fails.
He signs up, then change his address and information with sql statements trying to gain access to the billing system and servers.

First Name: 'Aganteng' to 'Andri'
Last Name: 'Rooterz' to 'Cyber4rt'
Address 1: 'dm' to 'AES_ENCRYPT(1,1), address1= (SELECT MIN(username) FROM tbladmins)'
Address 2: 'dm' to 'AES_ENCRYPT(1,1), address2= (SELECT MIN(password) FROM tbladmins)'
City: 'dm' to 'AES_ENCRYPT(1,1), city= (SELECT MAX(username) FROM tbladmins)'
State: 'Arizona' to 'AES_ENCRYPT(1,1), state= (SELECT MAX(password) FROM tbladmins)'
Postcode: '404404' to '40404'
Default Payment Method: '' to ''
If you are unhappy with any of the changes, you need to login and revert them - this is the only record of the old details.

This change request was submitted from vps-1118555-13724.manage.myhosting.com (216.224.162.45)

Comments

  • blackblack Member
    edited June 2015

    This is why you use my free proxy / vpn check service , it's 100% free I don't even run any ads.

    Thanked by 1Traffic
  • DillybobDillybob Member

    He'll have a blast when WHMCS 6.0 is out..

  • MrRapidHostMrRapidHost Member
    edited June 2015

    @Dillybob said:
    He'll have a blast when WHMCS 6.0 is out..

    Yea, probably.

    Current WHMCS is patched, but who knows it's always good to take the necessary precautions.

  • joepie91joepie91 Member, Patron Provider
    edited June 2015

    @black said:
    This is why you use my free proxy / vpn check stuff

    Meh. This is just a skid trying to use a long-patched vulnerability. Only thing blocking them is going to accomplish, is cleaning up your logs slightly :)

  • FlamesRunnerFlamesRunner Member

    Welcome to my world, bud.

  • MrRapidHostMrRapidHost Member

    @FlamesRunner said:

    Welcome to my world, bud.


    As long as your whmcs is updated to the last version there is nothing to worry about :).

  • FlamesRunnerFlamesRunner Member

    Eh, happens from time to time.
    Makes me wonder what entices script kiddies these days.

  • jarjar Patron Provider, Top Host, Veteran
    edited June 2015

    joepie91 said: This is just a skid trying to use a long-patched vulnerability

    I blame the wealth of people who STILL have WHMCS versions that haven't been updated since 2011. It's pathetically sad that people follow the "if it doesn't appear broken to me, I shouldn't bother updating it" attitude to the internet. If I had a dollar for every customer at a previous job who said to me "It's been working fine for years and I haven't touched it, why are your servers not secure?" after a compromise.... I'd probably have a down payment for a house.

    Thanked by 4Pwner joepie91 Infinity cassa
  • Ole_JuulOle_Juul Member

    black said: This is why you use my free proxy / vpn check stuff

    Why would someone want to check if someone is using a VPN? I use a VPN all the time just as a matter of principle.

  • dragon2611dragon2611 Member

    Yes I've tripped on the stupid fraud screening some companies use because I happened to be VPN'd to one of my existing servers when I placed the order. (Needed to access something on that network and had forgotten to disconnect the VPN when done)

    Also you'd also sometimes see me come from behind a proxy, although that said it's configured to reveal the source IP and it's not trying to hide the fact it's a proxy.

  • ErawanArifNugrohoErawanArifNugroho Member

    After seeing that Name, Andri, it's just make me sad. :(

    That's Indonesian name with fake location (probably using vpn/proxy)

  • SNetworks1SNetworks1 Member

    We get 10-15 of them a month... I tend to just ban the IP and delete the account...

  • KwiceroLTDKwiceroLTD Member

    If I used WHMCS (thankfully I have my own software which doesn't have gaping holes like that - yes, self promotion, get over it), I'd just setup a "retard" filter that looks for those, then to screw with them I'd send a random output each time to make it look like the exploit worked. Might as well have fun screwing with the "hackers"

  • FlamesRunnerFlamesRunner Member

    Better get working on that April Fools module, eh?

  • rokokrokok Member

    @ErawanArifNugroho said:
    After seeing that Name, Andri, it's just make me sad. :(

    That's Indonesian name with fake location (probably using vpn/proxy)

    First Name: 'Aganteng'

  • DalCompDalComp Member
    edited June 2015

    @ErawanArifNugroho said:
    After seeing that Name, Andri, it's just make me sad. :(

    That's Indonesian name with fake location (probably using vpn/proxy)

    And @FlamesRunner's pic says sangnewbieabadi on the email... sigh

  • joepie91joepie91 Member, Patron Provider

    @Jar said:
    I blame the wealth of people who STILL have WHMCS versions that haven't been updated since 2011. It's pathetically sad that people follow the "if it doesn't appear broken to me, I shouldn't bother updating it" attitude to the internet. If I had a dollar for every customer at a previous job who said to me "It's been working fine for years and I haven't touched it, why are your servers not secure?" after a compromise.... I'd probably have a down payment for a house.

    Unfortunately true. That, and various other dangerous and ignorant statements, including but not limited to:

    • "This is free software, we have no obligation to fix the security vulnerabilities [that we created]!"
    • "If you think it's insecure, prove it and exploit [some server]! Otherwise the vulnerability doesn't exist!"
    • "But I'm also running it on this other server, and that hasn't gotten hacked yet! Clearly you are at fault!"
    • "But I don't see anything! That means I haven't been hacked!"

    ... and so on, and so on, and so on...

    Thanked by 2jar vimalware
  • KuJoeKuJoe Member, Host Rep
    edited June 2015

    Here you go...

    https://github.com/KuJoe/chkProxy

    https://github.com/KuJoe/chkClientDetails

    Thanked by 1FlamesRunner
  • blackblack Member

    joepie91 said: Meh. This is just a skid trying to use a long-patched vulnerability. Only thing blocking them is going to accomplish, is cleaning up your logs slightly :)

    True, but it could do more like preventing fraud. It's free so it's worth looking into.

  • joepie91joepie91 Member, Patron Provider

    @black said:
    True, but it could do more like preventing fraud. It's free so it's worth looking into.

    Hrm. While it might reduce the fraud rate, checking for VPNs/proxies is still a rather rudimentary approach... either way, it certainly won't do anything useful against this particular phenomenon :)

  • nexmarknexmark Member

    Isn't that like super old (the exploit)?

  • HBAndreiHBAndrei Member, Top Host, Host Rep

    nexmark said: Isn't that like super old (the exploit)?

    Yes it is, very old... and yet we get one of those "clients" at least once per week, sometimes even more often... of course they all don't pass the fraud checks, but they still change details like crazy :D

  • nexmarknexmark Member

    @HBAndrei said:
    Yes it is, very old... and yet we get one of those "clients" at least once per week, sometimes even more often... of course they all don't pass the fraud checks, but they still change details like crazy :D

    Maybe it's some automated script the person uses. Otherwise if its manual the failure rate must be high.

Sign In or Register to comment.