Portal Home > Knowledgebase > Articles Database > [My] WHMCS Compromised
[My] WHMCS Compromised
| Posted by CueHost, 11-28-2013, 11:15 AM |
| Hello
Today I try to login my WHMCS and realise that the login is no longer working, so I logged into my database and find my username has changed.
I had already created a support ticket to WHMCS requesting to carry out a Security Audit on my site, but so far I have not received any reply back, this is why I post here for quick response.
The administrator username had changed to 'dzaso', by doing a simple Google search of the term 'dzaso whmcs', I was able to find the user 'dzaso' researching 'WHMCS config' hacking.
I am not sure what to do, should I reset the username via database and carry out these steps: http://docs.whmcs.com/Further_Security_Steps or let the security audit take place by WHMCS first before making any changes?
Would appreciate everyones help.
Thanks.
|
| Posted by Nick H, 11-28-2013, 11:27 AM |
| Those should have been done in the first place... So I'd definitely recommend doing that - and then contacting your system administrator to find out how they got in.
|
| Posted by CueHost, 11-28-2013, 11:33 AM |
| Yes, I am aware of that, but took it too lightly. By 'System Administrator' do you mean WHMCS or my host? I had already contacted my host and they performed a full audit and everything seems to be clear.
Also, how may I obtain system logs through ftp?
Thanks.
|
| Posted by ModelWebHost, 11-28-2013, 12:04 PM |
| It will better to contact your host so that they can pull the system logs and it will tell how the hacker got access to DB.
|
| Posted by EthernetServers, 11-28-2013, 12:36 PM |
| What version of WHMCS were you running when you got hacked?
|
| Posted by BrettB, 11-28-2013, 01:14 PM |
| It's important to determine the source of the attack so you can take appropriate action to prevent a similar attack in the future.
Since the attacker gained access to your WHMCS, it's likely the attacker had access to modify files or other entries in your database. I would recommend doing a clean install of WHMCS to remove the possibility of any backdoors lingering around.
|
| Posted by ServerSam, 11-28-2013, 01:23 PM |
| Do you have any backups to roll back to?
|
| Posted by YagHost-Ravi, 11-28-2013, 01:29 PM |
| After WHMCS is hacked:
------------------------
1) Change all passwords (cPanel / WHMCS admins ).
2) Delete all files except configuration.php
3) Uploaded fresh WHMCS files.
4) Add a new database user to your WHMCS database. And delete old database user. Now update this new database user in configuration.php
5) Perform security steps mentioned here http://docs.whmcs.com/Further_Security_Steps
6) Prefer to keep WHMCS on a separate VPS / subdomain like:
my.domain.com
7) Do not install any script (wordpress, joomla etc) on WHMCS cPanel account. You should keep only WHMCS on this cPanel account.
|
| Posted by ketan, 11-28-2013, 07:52 PM |
| Be sure to inspect the file however. That file was used in one of the recent exploits to inject untrusted code.
|
| Posted by BrianHarrison, 11-28-2013, 08:22 PM |
| Keeping up to date with WHMCS security patches, limiting access to the admin folder based on IP address and implementing a robust set of mod_security rules applied to both the request URL and POST data is your best bet to defend against future intrusions.
|
| Posted by thedediguy, 11-28-2013, 08:49 PM |
| If your on a shared host and not an isolated server or vps, then it most likely is a shell script or compromise of the main node.
Give us more info but if it is a shared host server, lesson learnt
|
| Posted by ModelWebHost, 11-28-2013, 10:30 PM |
| And WHT is your best friend. Whenever, a patch or maintenance release is issued, a thread is created right after few minutes. So, keep an eye on hosting software and control panel forum too.
|
| Posted by Kailash12, 11-29-2013, 04:40 AM |
| In addition to above suggestion, if you are WHMCS installation is hosted on shared hosting server, make sure that the shared hosting server is also secure.
|
| Posted by HostXNow_Chris, 11-29-2013, 04:51 AM |
| 1 very good advice.
Best to host it on VPS.
|
| Posted by digitallog, 11-29-2013, 04:57 AM |
| I thought whmcs released the patch which fixed all that hacking issue but still it is compromised?
|
| Posted by EthernetServers, 11-29-2013, 05:10 AM |
| I think one of the prime problems here is that because so many fixes/patches have come out, it can be hard (for those with lots of custom edits specifically) to replace all the patched files correctly.
We have hundreds of custom edits for both the client area and admin area and it's certainly becoming a pain to see the least.
|
| Posted by bear, 11-29-2013, 10:29 AM |
| The patches fix the known issues. There could always be something not made public, or this could be a result of an old installation or the server it's on and so on.
Most of the patches are to the encoded files, not the templates. Unless you're referring to changes affecting modules you've developed or something of that nature, I don't see what the problem is. Can you explain?
|
| Posted by WPCYCLE, 11-29-2013, 12:36 PM |
| Also for when you do re-install WHMCS
8) Delete payment modules not needed. If you only use 1 or 2 modules like paypal or something, delete the rest of them.
9) If you have the knowledge, only access WHMCS through a secured VPN limited to only that IP address (as listed on WHMCS - Restrict Access by IP). Very important step.
10) this also connects with #9, ssl for the VPN and WHMCS
Be paranoid about security at all times. Once your lazy, chances of an issue increases.
*****Also take a look at your host and how they treat security. No point going through all these steps if your host is a playground to hackers******
|
| Posted by YagHost-Ravi, 11-29-2013, 01:00 PM |
| wow.... thats a good additional and very handful tips.
|
Add to Favourites 
Print this Article
Also Read
