New WHMCS hacked or its a bug ?

Portal Home > Knowledgebase > Articles Database > New WHMCS hacked or its a bug ?

Posted by public_html, 11-27-2011, 08:12 AM
Hi, we're getting our gateway emails changed again and again (just after upgrading to new whmcs) is it due to new whmcs ? Regards
Posted by public_html, 11-27-2011, 08:16 AM
the hacker is still in there.
Posted by Patrick, 11-27-2011, 08:22 AM
Have you checked the access logs? Any unusual IP addresses? Do you have the admin directory IP restricted and/or password protected? I highly doubt it's a new flaw... it could be that someone compromised your credentials, or already had access to the server. Time to hire a management company to do a security audit of your box.
Posted by public_html, 11-27-2011, 08:24 AM
looks like whmcs in complete control of hacker. even we can't see the online staff.
Posted by Patrick, 11-27-2011, 08:44 AM
Can you log into the server, SSH or FTP? Disable your WHMCS installation until you can get someone to audit your server and figure out WTF is going on. Definitely don't want your clients credentials being compromised, any further.
Posted by public_html, 11-27-2011, 09:00 AM
Yes server is fine. Just whmcs looks hacked, and yes we've disabled it.
Posted by iexo, 11-27-2011, 09:00 AM
As patrick said, act fast and put it all into lockdown. Then get into logs and find the root of the cause.
Posted by public_html, 11-27-2011, 10:03 AM
Some one managed to edit configuaration file, hacker is from jordon.
Posted by SolidJoe, 11-27-2011, 12:32 PM
I doubt this very much. You need to a) hire a security firm to audit your server b) likely need to reformat/change ALL passwords to truly prevent the infection from spreading. Oh, and notify all your customers, since it appears you sell services, that their data has been compromised. Depending on where your company is incorporated (hah, as if) and where the server is physically located, you are subject to various laws on disclosure. PS: Don't advertise on hacking forums if you aren't secure in your own setup.
Posted by public_html, 11-27-2011, 12:47 PM
Just after he hacked we disabled everything, we got the person who hacked it, and reason is also known now. Things are back to normal.
Posted by Server Management, 11-27-2011, 12:48 PM
Sounds like FUD to me... So what was the reason exactly?
Posted by Michaelz, 11-27-2011, 12:57 PM
Pretty much so.
Posted by SolidJoe, 11-27-2011, 01:02 PM
It appears you are based in Israel, and as such, I am unaware of their privacy laws. However your server is on LSTN, based in the US, so you need to at a minimum follow the provisions for the state in which the server is located. Use this is a guide: http://www.ncsl.org/default.aspx?tabid=13489 Notify your customers of the security breach. Israel may be outside my jurisdiction, but US states certainly aren't.
Posted by public_html, 11-27-2011, 01:02 PM
Just discussing about whmcs bug or is it something else. contacted whmcs too about this, he made some changes in script which the hired person is fixing.
Posted by public_html, 11-27-2011, 01:05 PM
Alright. and already informed the clients earlier today.
Posted by SafeSrv, 11-28-2011, 05:38 PM
There is soo many dfferent ways in, it could be anything - you need to check your logs for an idea.. what security restrictions do you have in place ?
Posted by GORF, 11-28-2011, 08:11 PM
Are you a customer or the Internet Police?