Hostguts Posted January 5, 2012 Report Share Posted January 5, 2012 My whmcs, cpanel and WHM all hacked. These are all hacked already and i recovered them today morning, changed all the passwords of my emial accounts, hosting accounts, whmcs and all. Stored them inside Truecrypt Encrypted drive in my HDDremoved all traces of them online.But just before 15 minutes WHMCS, Cpanel , WHM all are hacked again.I dont know the reason, can any one help to prevent this from happening again?https://hermes.supportedns.com:2083 is up ? Quote Link to comment Share on other sites More sharing options...
fshagan Posted January 5, 2012 Report Share Posted January 5, 2012 Did you open a support ticket? I'm not sure how WHMCS is handled on the Reseller Accounts here; I'm on a VPS and I was responsible for updating it to the latest version (there was an update and then a later patch file released in December). Quote Link to comment Share on other sites More sharing options...
Hostguts Posted January 5, 2012 Author Report Share Posted January 5, 2012 i opened the ticket, still waiting for reply.i downloaded the whmcs script given in "my services" tab in support section. I guess its the latest patch ? Quote Link to comment Share on other sites More sharing options...
Michael D. Posted January 5, 2012 Report Share Posted January 5, 2012 i opened the ticket, still waiting for reply.i downloaded the whmcs script given in "my services" tab in support section. I guess its the latest patch ?There was a critical update that we emailed out to all customers on December 2nd, 2011 and we also posted it on our forums for any who may overlook the email (here). If you didn't install this update it's likely the cause of your exploitation. What most do with this exploit is upload a file that allows them to upload more files/execute things/perform commands. Essentially they take over your WHMCS and your account and then do with it what they wish. Unfortunately cleaning something like this is outside of our scope and is a complicated process. My personal advice in this case is to review the database to make sure no extraneous administrative users have been added, export the database, then clear the account and reinstall WHMCS from scratch (and any other software) and then reimport the database(s). Without doing this, or going file by file manually, it's nearly impossible to determine if the attacker has left a back-door in the account to get back in and re-compromise it. I know from the ticket that we did run a malware scan on your account and identified/quarantined several shell/command scripts (i.e. hack tools) but that doesn't mean that we caught everything with the scan. The fresh start is the best idea but if you have the time, skill, and inclination you can review your files manually. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.