Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Probably another WHMCS-related security breach
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Probably another WHMCS-related security breach

mpkossenmpkossen Member
edited December 2012 in General

This is an e-mail I just got from PCSmartHosting:


We are dissapointed to have to write this email but early this morning we learned that our billing system had been compromised. It appears a MySQL injection technique was used to modify the Gateway table in our database. This has resulted in one customer completing a Liberty Reserve payment (Which we've never offered our customers) to an account not assosiated with ourselves. Our standard payment methods of PayPal, Google Checkout and Debit/Credit remain secure.

We also have reason to believe that passwords on some user accounts may have been compromised through further MySQL injection techniques, and as a precaution we have currently disabled logins to our billing system. Upon restoring the billing system we will force a reset on all user passwords as a precaution.

This incident has been logged with WHMCS and from speaking to a few contacts in the industry we are not the only ones to become victim of this attack. The server hosting our billing area is heavily locked down from unauthorized access, access to our database was gained via a vulnerability in the billing software only.

Further updates will follow once we restore normal service, appologies for any inconvenience this has caused.

Kind Regards,

The PCSmart Team

Looks like another bad WHMCS module :(


  • Also caught this email yesterday:

    Dear XXX We are going to be putting SolusVM and our billing system in maintenance mode. During this time the provisioning and control of servers will be limited, but if you require a reboot you can still raise a ticket to [email protected]. This is essential maintenance to remedy some security bugs identified and cannot be delayed. Both systems will be going offline at 11am UK time today. A notification will follow once maintenance has been completed and it is not known how long the fixes will take to perform. We apologise for the inconvenience during this time and thank you for your co-operation. Kind regards The ThrustVPS Team
  • There is an active attack targeting WHMCS installations with that LibertyReserve module on the server (does not matter if enabled) that was known to be an issue but some providers dismissed it as "disabled so it's of no concern to me"

    If you are a provider, please PM and I can disclose what I know.

    For companies who have disclosed the incident to me, your info is safe with me and I will not release any sensitive information at all but will use the most vague information I can offer to be helpful without it coming back to you.

    For full disclosure folks about to scream, go kick rocks. I'll publicly disclose what I know when the time is right.

  • From what i gather this has nothing to do with Liberty Reserve, there is an unrelated mysql injection problem with WHMCS (could have been for a long time, maybe some providers just didn't bother updating their installation). And some guy used this mysql injection to configure and enable LR gateway in WHMCS so people can be tricked to order from the provider and send money via LR to this guy.

  • @rds100 said: From what i gather this has nothing to do with Liberty Reserve

    The attacker is using multiple vulnerabilities then, because one confirmed victim was because of the LR module which allowed access and the other victim is not 100% sure yet

  • @bamn if an attacker is able to do mysql injection then he should be able to reconfigure any payment module and send the payments to his own account instead of the provider's account. In this case probably LR was chosen with the hope that nobody would notice and with the idea that LR payments are not disputable / reversible.

  • bamnbamn Member
    edited December 2012


    I don't give a damn about the OP. I'm here offering what I know about CURRENT, ONGOING ATTACKS. Feel free to debate all you want in typical LET derail fashion about hypotheticals.

  • I have just cleaned out the gateway folders, and moved everything that is not in use into a another folder.

    I am curious about the LR module, any response from WHMCS?

  • mikhomikho Member, Host Rep

    Bamn, if you offer, please post it as long as its just information helping people out.
    No injection code or something like that, only info to help providers check if they are in the clear or not.

  • If there is a sql injection it's plain simple to check access logs and see the url, I can't believe some providers aren't capable of catching a sql injection attack :S

  • @MikHo said: Bamn, if you offer, please post it as long as its just information helping people out.

    I posted the terms of my offer and if folks do not like it, do not take me up on my kindness.

  • joepie91joepie91 Member, Patron Provider

    WHMCS has a vulnerability. What a surprise.

  • Nick_ANick_A Member, Top Host, Host Rep

    The first part is what happened to us (the Liberty Reserve part), but our client passwords were not compromised. I wonder what the hacker(s) did to get the passwords. Sucks that this is still going on but good to know it wasn't just us :/

  • What's new... lol

  • ServerSharpServerSharp Member, Host Rep

    Got one from PCSmart as well.

  • @joepie91 said: What a surprise.

    Shocking, isn't it?

    @Nexus said: What's new.

    WHMCS having a security issue for the first time!!!11oneoneleven.

  • @Jack said: So this issue has been patched or what?

    No it's not. I've seen this happen on several v5.1.3 installs

  • Not yet. A couple of clients have submitted tickets to us saying the SolusVM WHMCS module had stopped working. When we investigated we found the LR gateway had been added.

    I do suggest you enable Query Logging in MySQL though. It will help detect how it was done if it happens to you.

  • Sooo, clearly a LR Module is being uploaded? Couldn't you just restrict such items from being uploaded through whatever exploit there is? As a temporary measure.

    It's intriguing that nobody has developed a fix yet; is this the same thing that happened to @CVPS_Chris then?

  • It is not being uploaded but getting activated . And it is not whmcs fault. They did patch it. Now if you are running old unpatched version, that's another thread.

  • KuJoeKuJoe Member, Host Rep

    Best practice is to remove any unused modules/gateways/addons/hooks. They can't exploit what's not there.

  • edited December 2012

    @KuJoe said: Best practice is to remove any unused modules/gateways/addons/hooks. They can't exploit what's not there.

    This, the narrower the window of opportunity the better

  • WHMCS needs to include code in all their modules to not function unless called from registered sources.

  • KuJoeKuJoe Member, Host Rep

    @FRCorey said: WHMCS needs to include code in all their modules to not function unless called from registered sources.

    WHMCS doesn't code all of the modules. Some modules are provided by the service developers (I can't remember the last gateway exploit but it was from code not written by WHMCS).

  • WHMCS should be auditing the modules themselves before adding them to the App Store though surely?

Sign In or Register to comment.