New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
whmcs hacked
My whmcs 5.2.9 got hacked. Hacker seems to get access into admin panel. I have no idea why they can place suspicious file in /downloads folder (Is it can be uploaded inside admin panel?) After file was placed, it called and configuration.php was read for database creditial and hacker can change admin password and do anything with whmcs database. I need to know this for prevent it to occur again.
The main thing that I have no clue is how they can place file into downloads folder.
Already update to 5.3.6
Comments
Always update your WHMCS to the latest version as soon as it comes out.
If they placed a file in the downloads folder and executed it, that would mean that your downloads folder was in your public_html folder.
And yes if they had access to your admin account they could have uploaded a shell or something.
You should always move the downloads/attachment/templates_c folder outside of the public_html directory.
Follow all the steps here. http://docs.whmcs.com/Further_Security_Steps
I also recommend deleting all your files and uploading a fresh copy of whmcs to make sure there are no hidden shells or anything hiding.
ok
http://docs.whmcs.com/Further_Security_Steps
As from my understanding, move downloads/attachment/templates_c folder outside of the public_html directory. So once it placed script, then they cannot called it from website?
If you move your downloads/attachments/templates_c folder then no one will be able to execute the files.
The most common way for people to upload a shell to your site would be by uploading it as an attachment.
So when you move the attachment folder outside of the public folder, it can no longer be accessed by anyone directly.
is it possible to disable execution of anything under that folder in the webserver config?
ok
Thank you for really worth suggestion.
Do you use Cpanel/DirectAdmin or Zpanel/Kloxo?
Another question, Is anyway to force all client reset their password?
It's cPanel
It's nothing new that WHMCS is getting hacked. I wonder why hosters are still using this...
Because it's the only thing that "works"
Define "works". Getting hacked every day/hour/minute does not mean it works.
WHMCS 5.2.9 is very old and it is no wonder it got hacked. Actually it is kind of surprising that it didn't get hacked earlier.
You should upgrade to 5.3.6
I think they have used SQL Injection to get it! Your WHMCS might be vulnerable! And after getting in they have uploaded a SHELL to access all hosted websites at that server.
I always recommend people run Mod_Security alongside WHMCS, it might not stop a zero day but it sure won't hurt. It likely would've stopped them from uploading a PHP shell in this case, provided you had upload scanning enabled.
Ask WHMCS.
Basicly says it all. This was an old insecure WHMCS version.
Yes, but what he probably really wanted to know was why does WHMCS suck so much. (inb4 WHMCS used to be a hobby project by Matt)
Password protecting the admin folder is easy to set up and use. Your browser can cache the log in so it's a really good security enhancement imho.
http://docs.whmcs.com/Further_Security_Steps
Could you link me to a guide to do that?
I would not recommend mod_security for WHMCS. It caused us more problems than it prevented. If you do use it expect lots and lots and lots and lots of tweaking to get it just right and even then expect to have to do more tweaking.
With WHMCS, right off the bat you will probably find that your ticketing system won't work anymore so you have to create special exclusions or rules for that. We had to create a bunch of special rules for all sorts of things that came up.
It is also a PiTA to troubleshoot because it does not always block. Depends on how you have it configured and the content of the message it is blocking, how long the message is etc.
When it does block the web page errors are very generic so you have to always check the mod_sec logs to see whether it did it. The mod_sec logs are very chatty even when turned way down so not always the easiest thing scanning them.
Anything that complicates things that much is not a good security solution imho. There are lots of ways around it so it's not even that great of a hammer. More of a specialized solution for very targeted things. So if you want to go to all the trouble to implement it in order to target one very specific thing and turn off all the generic filtering it could be of some use imho.
If you do implement I would recommend setting it up in monitor only mode for quite awhile. Watch the logs very carefully to see what it is flagging.
We spent countless hours messing around with it over the course of a year trying to prevent false positives. Cranked up the limits etc. Finally set it to just monitor and eventually we just disabled it. We did learn something though. To ignore any suggestions of using mod_security on WHMCS.