WHMCS.com Hacked?

[desynced]

Reading this thread has popped up a question I have to ask? How long have you all been in business? The ranting of WHMCS isnt going to go on anywhere. This stuff happens, welcome to the internet. First day here?

I can remember around 2000 that really nothing was safe. Exploit here, exploit there, etc. The only safe way is to store everything in something like Quickbooks on a computer that doesnt even connect to the internet. But then you wouldnt have 90% of the features that WHMCS does for you would you?

ClientExec. v2.x This was our first major "web based" system. We have a few RackShack servers and a couple scattered around. Then our data in this kept screwing up. For days we couldnt figure out why things were disappearing and changing. Then finally it was known..
http://secunia.com/advisories/17756/
With that, plus other bugs, we decided to move on.
ModernBill v4.x It was great but some serious exploits were coming out. Cross scripting, remote exploits, etc were a big fad. Our ModernBill system got hacked while waiting for those guys to come out with a patch. Not only did they get our data, but they took full control of that server. I would say we had a couple dozen dedicated servers with RackShack (before ThePlanet) and maybe another dozen scattered around at other datacenters back then. So we have quite a few customers we have to contact with the "Sorry, but our software has been hacked and now the internet has your credit card info" emails. We lost about 40% of our customers from that. Then ModernBill 5 came out. Some of you might know how much that version was.
http://secunia.com/advisories/32529/

Shortly after this, then we were having customer sites getting hacked with an exploit through the control panel we were using... Ensim. Lost more customers.

So we migrated to LXAdmin's control panel. Major exploit comes out. The main dev of it commits suicide. Yeah, no fixes and everyone is confused if LXAdmin is even going to get updated, by who, etc.
Guess what? You guessed it. More customers calling and emailing and leaving.

Yeah, its time to move on. Now we're a DirectAdmin and CPanel shop. Both been great since then. After posting on several forums about what is good, there's WHMCS that people are recommending over and over. I check their site, they support everything I need (payment, control panels, etc) and they've been great. I havent had any problems in 3+ years with their product (well maybe some minor upgrade hickups) and right now their web site got hacked, but not by an exploit or bug in their software. By this and the ignorance of HostGator (still not confirmed?), they were able to access WHMCS's main database, site, cpanel, etc.

Then they put it on the internet. I found out when I get a call from an admin asking if I've logged into WHMCS yet that morning. I told him no, and he said when I do, check out the news feed inside. Yes, the feed from Twitter. Right away I assumed my WHMCS setup was hacked. After 2 - 3 minutes of extremely high blood pressure, I finally realize that it's not me, but WHMCS's site. So, I read the twitter feeds which several feeds besides the hacker is releasing news about WHMCS being hacked just scrolling by. You have thousands of people on the internet that is now the reporters of the world. Blogs, news sites, forums, etc all posting about WHMCS being hacked and linking screen shots of the defaced site, links to the files, etc.

So yeah, I did download the files. I am so sorry that I wanted to see what they got and is it any way going to concern me and my business. For anyone ranting "Shame on you people downloading...", why are you not concerned if your info is inside? At the time I couldnt log into WHMCS to see EVERY ticket I've made over the years to see what info I supplied them. Do they have my admin password? I know I make temp accounts and when the job is done, delete the accounts, but did I ever have to give them a MySQL username and password? Root's password? I'm 99.9% sure I didnt, but.. damn right I am going to download these and see what data is now freely available to thousands or millions of people that would do something dishonest with either my credit card or any ticket information.

Now it's when I have to see the bottom line. Yes, I may have to call and get a new card. I have others. I can wait a couple weeks for a replacement. I would hope you would too. But I would also hope you are smart to change passwords often. I would hope you are smart enough to make temp accounts for WHMCS to use and deleted them when they finished whatever they needed to do. If you did, any ticket info is invalid since passwords have changed, accounts are gone, etc. Yeah, I now have a text file/database full of credit card numbers, names, addresses, phone numbers, etc. Am I stupid enough to risk the rest of my life and use any of this information illegally? No. Just like I would hope all of us wouldnt and just wanted to see if any information would effect them. We're the ones effected, we're not the ones that have never even used WHMCS, never heard of it, dont care what WHMCS is, just get the credit card numbers and roll! So shame on me? Whatever. I did what was best for me and my family and my business and that was to see if all 3 of those are safe. Actually now I'm not even sure why I downloaded the other 2 files (whmcs site files and whmcs cpanel files) since I could really give a s**t about those 2. I have WHMCS and CPanel, except the DB link wasnt working for a while so I thought maybe the DB was included in one of the other two.

Is this going to effect me? Wow, I spent a couple minutes changing my WHMCS.com password and changing passwords for anything that had to do with my WHMCS setup. Did I need to change my WHMCS passwords? No, but it just made me feel a little better inside with everything going on.

Is this going to effect my business? I doubt it. My customers data is still safe. I dont have to send another "Oh no. I been hacked again. Your credit card isnt just yours any more." emails to my customers. Im not going to lose a bunch and have financial problems for the next several months because of this. I can still use WHMCS.

You pissed off? You want to leave WHMCS? Fine. Go ahead, really. Now I'm wondering how many of you are even stable enough to run a business. Do you only have 1 credit card or debit card running your whole business? What if you lost your wallet? This crap is only effecting you. Not your customers. Not your business.

[CavalloComm]

Well said. And again.. I am not on a high horse... But still shame on the people here that actually followed that link and downloaded the UNAUTHORIZED database. I didn't even use a CC with them. No worries. It is YOUR CHOICE TO USE ONE! Again, you all know how the software works no? Or are the people complaining here non users of WHMCS? So.. It could all happen to you too.. Do you all have a better solution?



Enough said.

[hamishpalmer]

Guessing everyone/someone received the "WHMCS Updates for XXX" email from AJ Online Services??

Wanted to share my thoughts on this - I personally am rather annoyed that this person/company has apparently gone ahead and downloaded the leaked information, then used it to email WHMCS clients.

I realise it is designed to offer advice, but I am really not impressed on how they went about it. Nowhere does it mentioned it was authorised by WHMCS, AJ Online Services admitted the details were taken from the stolen database:

we have mearly sent this email to all WHMCS clients recorded in the WHMCS database leaked by the UGNazi group

Obviously thousands of people are in possession of the stolen data, and obviously those with information compromised (like myself) would have already done something about it if they had half a brain. I also like the line:

This email is not a plug so we wont give our details directly in this email

When clearly they have provided: Link to their website, Email address, Facebook + Twitter accounts.

I received an email from WHMCS regarding the issue, and done something about the breach 12 minutes after the WHMCS twitter account posted the first hack message. What I do not need/want is "helpful" companies taking my data and plugging their own business, even if intentions are good - regardless of what was said in the email, their contact information is still visible.

If AJ Online Services were ever hacked, I will be the first person to download all of the stolen information, and send out helpful emails offering advice to their clients... with a link to my website and email address in the footer, which should not matter because it is just a helpful email and nothing more, right? Come on man, Foxconn wouldn't make an announcement on Apple's behalf, and if they did it would be authorised by Apple. Let WHMCS do their thing, you worry about your business and I will worry about mine.

[cwispy]

I would like to hear from staff in regards to the article at [link removed]

[Speedy059]

I would like to hear from staff in regards to the article at [link removed]

I really hope that isn't true.

[Matt]

See this thread for our response: http://forum.whmcs.com/showthread.php?47797

Matt

[vincent_g]

I was not effected by this major problem that took place this past week.

But having read the news I have to say Hostgator did make a major mistake.
They should not have given out any info without first checking with Matt

This is a major mistake - My server company ( Calpop ) would not make such a mistake.

The major fault here belongs to Hostgator

http://www.scmagazine.com.au/News/30...ud-breach.aspx

As to how this person got the other security questions correct is not of any importance.
Yes this is an additional security problem but the purpose of security is to trip up a hacker.
If he had six parts of the security answers correct and was missing one - he was still missing one!!!

You don't give him the one part he doesn't have with out getting conformation from the person in charge.

So now that the damage is done it's time to find out where we can improve things.

As to those hosts that have been effected - you have just experienced a major learning experience.
Do not leave your passwords unchanged after requesting help via any help desk.
If you were using a hosted billing solution - well - sometimes saving money can cost.

One thing I am not too happy with with WHMCS is their new marketing idea which winds up giving large hosting companies an unfair advantage on smaller ones as I now see hosting companies giving away WHMCS with reseller accounts.

As this software falls into more hands for small fees the possibility of hackers will increase.
This allows them to have hands on access to try and find holes in it.

I believe it's a really bad idea - might be a good marketing scheme but long term it's not very good.

Vincent G.
CW3 Web Hosting

[Jbro]

Hostgator is a big issue. I sensed it years ago. I had a VPS with them I felt so unsecure I moved every thing to our domestic
This is a lesson for all of us

[vincent_g]

Does anyone know anything about this hack?

Was it a version 4 hack or version 5 hack?

I didn't see any patches for it.

[old exploit removed]

It displays the content of the config file.

There are videos on youtube about it showing how easy it is to dispay this info.

So you get a new client sign up for hosting and he is on the same server as your billing system.
Now he has your database and your encrypt string.

Was this fixed???

[ExsysHost]

Does anyone know anything about this hack?

Was it a version 4 hack or version 5 hack?

I didn't see any patches for it.

[old exploit removed]

It displays the content of the config file.

There are videos on youtube about it showing how easy it is to dispay this info.

So you get a new client sign up for hosting and he is on the same server as your billing system.
Now he has your database and your encrypt string.

Was this fixed???

either you are running a very old version of WHMCS... or you have not followed the security steps... this is not possible on my system.

[sparky]

Also mod security should give a 406 - Unacceptable error
It does on my install
Be sure to apply the patch released today.

[easyhosting]

One thing I am not too happy with with WHMCS is their new marketing idea which winds up giving large hosting companies an unfair advantage on smaller ones as I now see hosting companies giving away WHMCS with reseller accounts.

Well what makes you think WHMCS are the only ones doing this

Autopilot
cPanel
Directadmin
RVsitebuilder
etc.

All are provided free by some hosts, but thisd is going off topic.

by ther way WHMCS was NOT Hacked as such it was breached by social engineering where MATT was impersonated and Hostgator gave the impersonator the servers login details.

[vincent_g]

I said I was not effected on a prior post.
I was not effected because I run my own servers and they are secure.
I run the latest versions of the software and always apply the latest patches.

By the way the latest dbconnect patch is the second time this file was patched.

Yes Mod Security does block that hack attempt as it's how I learned about it.
Is it fixed is the question.

This is why you have problems - well Mod Security blocks it so who cares if the problem is still there.

I care! - there is no room for mistakes else you have an event such as the one we just seen.

[bear]

Be sure to apply the patch released today.

Another new one today? I'm not seeing that; can you link it?

by ther way WHMCS was NOT Hacked as such it was breached by social engineering where MATT was impersonated and Hostgator gave the impersonator the servers login details.

Unless you know for certain that's what happened in it's entirety (and not just parroting what has been posted), it's presumptuous of you to post that as fact. Though it may be true, you are not privy to the full details so probably shouldn't be speaking authoritatively about it.
Just sayin.

One thing I am not too happy with with WHMCS is their new marketing idea which winds up giving large hosting companies an unfair advantage on smaller ones as I now see hosting companies giving away WHMCS with reseller accounts.

WHMCS doesn't give those to the company offering it free (AFAIK), they're bought and used as a "loss leader" by the provider/host. Makes their offer more attractive. That is available to you also; you should ask Matt about details.

[SoftDux]

Also mod security should give a 406 - Unacceptable error
It does on my install
Be sure to apply the patch released today.

If you don't mind, which mod_security rules do you use to protect against this type of hack?