Jump to content

Site Possibly Compromised


ramystyle

Recommended Posts

Hi,

 

We upgraded to 6.0.1 about a week ago (We had the latest v5 installed before). Since yesterday, we noticed that many cPanel account are getting their password changed without their owner's approval. So we started investigating (Thinking it was a hack from Wordpress at first..).

Then today, when I logged in to WHMCS and noticed that the same IP (198.7.58.97) has accessed several client's accounts. So I think that somehow a hacker had access to these account and started changing their cPanel account from the client area of whmcs? Is this possible ?

 

I also noticed that the latest client to register is "Aganteng Rooterz DMASTERPIECE" who changed his info by putting some codes.. I googled this guy and found that it is an old exploit that was corrected in later versions (And since we had the latest, so I doubt this was it).

 

1- How could a hacker get access to the client's area ?

2- What do we need to do in this case besides changing the passwords?

 

Thank you.

Link to comment
Share on other sites

Hi,

 

We are still investigating. We don't think it's because of the old exploit. We think the hacker was able to get a copy of our Database (hence stealing all users login/pass).. Like easyhosting said, we did not follow the extra security steps.. This may have helped us !! I will keep you posted of any news we get.

We contacted enom and asked to freeze our account as the hacker took control of our enom account as well (Probably stole our password from whmcs as well). They were very helpful and now confirming our identity (We had to send bunch of docs..)

 

I really don't wish this nightmare on anyone !! Follow the extra security steps !

Link to comment
Share on other sites

Hello ramystyle,

 

I recommend the following steps. (In this exact order)

 

(1) Change your server SSH password

(2) If you use FTP, do not, and change that password

(3) Change your email address password

(4) Enable 2 Factor Authentication in WHMCS for all admin logins.

(5) Change all WHMCS admin passwords

(6) Reset all your clients passwords in WHMCS

(7) Not sure how many admins you have but see if any new ones are there.

- 8 Continue your process of changing enom and other passwords

 

Regardless of Hack or not,

(1) Yes follow the extra security steps, especially changing your /admin/ folder

(2) If you have your database backup being sent daily to your email address then I suggest you do not.

(3) Install the WHMCS Firewall module (whmcsFirewall.com)

 

Let me know how that goes for you and if you need any additional help getting your WHMCS back under your control.

 

Best,

Trevor~

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated