[Hostguts]

My whmcs, cpanel and WHM all hacked. These are all hacked already and i recovered them today morning, changed all the passwords of my emial accounts, hosting accounts, whmcs and all. Stored them inside Truecrypt Encrypted drive in my HDD
removed all traces of them online.
But just before 15 minutes WHMCS, Cpanel , WHM all are hacked again.
I dont know the reason, can any one help to prevent this from happening again?
https://hermes.supportedns.com:2083 is up ?

[fshagan]

Did you open a support ticket? I'm not sure how WHMCS is handled on the Reseller Accounts here; I'm on a VPS and I was responsible for updating it to the latest version (there was an update and then a later patch file released in December).

[Hostguts]

i opened the ticket, still waiting for reply.
i downloaded the whmcs script given in "my services" tab in support section. I guess its the latest patch ?

[MikeDVB]

Hostguts, on 05 January 2012 - 09:33 AM, said:

i opened the ticket, still waiting for reply.
i downloaded the whmcs script given in "my services" tab in support section. I guess its the latest patch ?

There was a critical update that we emailed out to all customers on December 2nd, 2011 and we also posted it on our forums for any who may overlook the email (here).

If you didn't install this update it's likely the cause of your exploitation. What most do with this exploit is upload a file that allows them to upload more files/execute things/perform commands. Essentially they take over your WHMCS and your account and then do with it what they wish. Unfortunately cleaning something like this is outside of our scope and is a complicated process.

My personal advice in this case is to review the database to make sure no extraneous administrative users have been added, export the database, then clear the account and reinstall WHMCS from scratch (and any other software) and then reimport the database(s). Without doing this, or going file by file manually, it's nearly impossible to determine if the attacker has left a back-door in the account to get back in and re-compromise it.

I know from the ticket that we did run a malware scan on your account and identified/quarantined several shell/command scripts (i.e. hack tools) but that doesn't mean that we caught everything with the scan. The fresh start is the best idea but if you have the time, skill, and inclination you can review your files manually.