Support ticket opened

Someone opened a support ticket with a subject of "Hello" and contained these items

" {php}eval(base64_decode('JGN...'));{/php}"

I deleted this ticket again but someone again opened with different IP. Is this dangerous and what should I do so that It should not be opened.

they are trying to break in with overloading... not going to work tho...

Search eval exploit and patch :

http://forum.whmcs.com/showthread.php?t=43462

Using base64 to access database without permission

If eval is turned off on your php installation then I cannot see any issue

To prevent such email tickets :

Spam Control -> Subject -> base64

Spam Control -> Phrase -> base64

In my case, they had to register as a new customer first, then submit the support ticket

All the customer details were nonsense, except the city which matched the IP address

As an aside

Do you really want visitors being able to submit support tickets?

I have set mine up so that only customers can do so

Visitors use the Pre-Sales form

Search eval exploit and patch :

http://forum.whmcs.com/showthread.php?t=43462

Using base64 to access database without permission

 

If eval is turned off on your php installation then I cannot see any issue

To prevent such email tickets :

Spam Control -> Subject -> base64

Spam Control -> Phrase -> base64

 

In my case, they had to register as a new customer first, then submit the support ticket

All the customer details were nonsense, except the city which matched the IP address

 

As an aside

Do you really want visitors being able to submit support tickets?

I have set mine up so that only customers can do so

Visitors use the Pre-Sales form

I already patched this but this happened.

The patch wont stop the tickets, it just disables the exploit from working. The instructions posted will allow you to block the emails all together with spam control.

I have been same problem today from IP of Jordan. i have upload right now patch.

Besides its seems that exploit create a folder order with files class.php and index.php - I have deleted.

The patch will improve security?

And in my case the subject as been "ana"

I got the same from 94.99.12.33.

When I talk to support, Matt told me that http://forum.whmcs.com/showthread.php?t=43462 patch should handle this

One thing that seems to have stopped tickets for me is disabling the register page unless ordering a product. Also this would assume that users can only submit tickets when logged in.

I tried using the ticket spam control (blocking {php}) but it didn't seem to work so the above is a good option.

Jack

I got the same from 94.99.12.33.

 

When I talk to support, Matt told me that http://forum.whmcs.com/showthread.php?t=43462 patch should handle this

Already patched but this does nothing in this regard.

 

I tried using the ticket spam control (blocking {php}) but it didn't seem to work so the above is a good option.

Same here. Spam control does not work against it.

The patch only prevents the exploit from working, it doesn't stop the requests. You could probably setup mod_security to block the requests from coming in, or one of many other ways to handle it.

I find it easy just to ignore/delete them.

The patch only prevents the exploit from working, it doesn't stop the requests. You could probably setup mod_security to block the requests from coming in, or one of many other ways to handle it.

 

I find it easy just to ignore/delete them.

I have setup mod_security but don't know how to handle this problem. Can you help me?

Hi All,

I think we may have been caught out by this one.....

I noticed a couple of support tickets with said code in them and hadn't patched...

Since then I've noticed that when I click on a orders order-number to view it i'm confronted with "Order not found... Exiting...".

Also when clicking on a support ticket to reply I get "Ticket ID Not Found.".

Another issue i have noticed is that when trying to edit a product I get the Add New Product page instead of the product i wish to edit...

All relevant data is in the database however it appears to invisible to the scripts...

I have upgraded and patched as requested but this seems to have affected our database somewhat..

Is there any resolution to those that have been affected or is it a simple case of restore the db from a backup...?

Regards

Central

Hi All,

 

I think we may have been caught out by this one.....

 

I noticed a couple of support tickets with said code in them and hadn't patched...

 

Since then I've noticed that when I click on a orders order-number to view it i'm confronted with "Order not found... Exiting...".

 

Also when clicking on a support ticket to reply I get "Ticket ID Not Found.".

 

Another issue i have noticed is that when trying to edit a product I get the Add New Product page instead of the product i wish to edit...

 

All relevant data is in the database however it appears to invisible to the scripts...

 

I have upgraded and patched as requested but this seems to have affected our database somewhat..

 

Is there any resolution to those that have been affected or is it a simple case of restore the db from a backup...?

 

Regards

 

Central

Well just in case anyone else is in the same situation as we were, this is what we have done to rectify the issue...

We downloaded and installed a fresh version of 5.0.3 with a new database. Once setup we transfered all the tables by hand across to the new database and hey presto all is well bar a few minor alterations on our part.

It's a little time consuming I know however it beats starting from scratch and losing all the data from previous / existing clients.

If anyone needs me to elaborate more please just ask...

Regards

Well just in case anyone else is in the same situation as we were, this is what we have done to rectify the issue...

 

We downloaded and installed a fresh version of 5.0.3 with a new database. Once setup we transfered all the tables by hand across to the new database and hey presto all is well bar a few minor alterations on our part.

 

It's a little time consuming I know however it beats starting from scratch and losing all the data from previous / existing clients.

 

If anyone needs me to elaborate more please just ask...

 

Regards

I did the same and everything gone perfect. I lost 1.5 hour..

Search eval exploit and patch :

As an aside

Do you really want visitors being able to submit support tickets?

I have set mine up so that only customers can do so

Visitors use the Pre-Sales form

You can't lock-down your support forms for everything.

What do you do with pre-sales, and accounts related submissions from banks?

i.e. in our case we accept EFT, and the client's bank sends through proof of payment. Since the bank isn't a client, the POP's won't reach us if support tickets are limited to clients only.

You can't lock-down your support forms for everything

I have, only clients can submit and access Support Tickets

What do you do with pre-sales, and accounts related submissions from banks?

The Pre-Sales form uses a different email address, not had any issues there

None of the content from the form gets saved in the database, it is just simply a relay

No need for account related submissions from banks I have other channels for that

I have, only clients can submit and access Support Tickets

 

 

The Pre-Sales form uses a different email address, not had any issues there

None of the content from the form gets saved in the database, it is just simply a relay

 

No need for account related submissions from banks I have other channels for that

I guess you're one of the lucky ones then while the rest of us who use WHMCS to it's full potential suffer from this.

if you have apply patch then no worry about it

if you have apply patch then no worry about it

This is not technically correct, If you have applied the patch or are using the latest whmcs installation then you have nothing to worry about.

However If you have seen this code in a ticket PRIOR to the release then you do have an issue and your system is already comprimised, I found this out myself and assumes as i had updated then i was safe.

I was, from the fresh attack but my system had already been comprimised. It resulted in a complete install from fresh i managed to rescue my database.

If your system is still active (consider yourself lucky these hacks not only want teh database but you locked out) you should do the following.

Have your tech team run malware checks on the server, Mine found 8 files that i had missed. remove all the files listed. Also flush the templates_c folder, these will show in the scan though so you should be ok to delete just those.

Then you need to delete any tickets from the database that have this code submitted (do this in the database not the installation of whmcs.

Change all passwords, Admin, Server, User Accounts the works, anything that is in the database can be pulled out if your system is already compromised.

Once you have completed your clean up and update have your techs run another scan just to be on the safe side.