Scott Posted October 3, 2013 Report Share Posted October 3, 2013 Update 10/21/2013 We have determined after an extensive investigation that absolutely no data was lost on October 3rd. Due to us preventing customers from being able to change their First and Last Name on their own and the exploit relying upon changing the First name the exploit attempts failed. We saved an instance of our server moments after the exploitation attempt was discovered for investigation. We reviewed all logs and only one attack was attempted before we disabled our systems. We replicated the attack and verified that with the fields locked - the attack failed. Additionally we found that if the attack succeeds that it changes the client's account that perpetrated the attack to all 1's. After reviewing the logs we found the client account responsible for the attack and verified that their personal information was intact and not set to 1s - it was intact. No information was lost, at all. UPDATE: All services have returned to normal. If you are running a copy of WHMCS - please update to the latest version immediately -> http://blog.whmcs.com/?t=79427 ==== Hello everyone, In the last half hour, we learned of a new WHMCS exploit that was just released into the wild. While we have not yet seen any attacks as a result of this, we are conducting emergency maintenance on our WHMCS installation to ensure our database is not compromised. Until this maintenance is complete, we have setup password protection that will prevent anyone from loading mddhosting.com/support -- This means that you cannot place new orders, submit or review tickets online, view or pay invoices, access our KB, or do other tasks in our client area website. We deeply apologize for any inconvenience and will do our best to resolve this in a timely manor while ensuring the security of our website and your data. Thank you for bearing with us. Resellers: If you are using WHMCS, we advise you to take similar measures immediately. We are still investigating the exploit script and do not yet have specific mitigation instructions. You may also wish to check with the WHMCS.com website directly for further information, mitigation instructions, or patches. When we have any updates or further information, we will post them here. Please feel free to ask any questions, however the majority of our effort will be spent on the maintenance to resolve this issue, and we don't have any other details or information at this time. Quote Link to comment Share on other sites More sharing options...
jtslater Posted October 3, 2013 Report Share Posted October 3, 2013 Can't seem to win with WHMCS. Do you know if the 5.2.8 patch fixes this or is that where the security vulnerability is? Quote Link to comment Share on other sites More sharing options...
Michael D. Posted October 3, 2013 Report Share Posted October 3, 2013 We will update this thread when we have more information and in the near future we will send out a full disclosure email to all clients about the results of our investigation. First and foremost our priority is to ensure our client data is protected. We are now working diligently to perform a complete security audit and investigation to determine whether we were a target of this attack and, if so, what data was or was not revealed. We will also be working on bringing additional security systems online to help prevent or mitigate such unforeseen attacks in the future. Quote Link to comment Share on other sites More sharing options...
Michael D. Posted October 3, 2013 Report Share Posted October 3, 2013 Anybody running WHMCS needs to update their software immediately -> http://blog.whmcs.com/?t=79427 The full download of WHMCS 5.2.8 which resolves this issue can be found in our client area under the product details, however, if you are running 5.2.7 you can simply download the file linked in the WHMCS Blog Post linked above and patch your installation using that method. As always we strongly suggest you keep your software fully up-to-date to keep you secure and in this instance it's imperative that you update your software to the latest version if you are running WHMCS. We were hit by an attacker mere minutes before we were able to lock down our installation. After a complete and thorough investigation we were able to determine that they obtained nothing. our administrative usernames, email addresses, and passwords as well as a count of our clients. No client information was obtained by the attackers. nor were they able to access our administrative area due to double authentication. WHMCS did release a patch and we verified this patch does close this vulnerability. We are actively seeking solutions that will help us identify and prevent such attacks in the future should the situation ever occur again. If you have any specific questions about this instance please open a support ticket requesting that the ticket be escalated to management along with your question and we will address your question as quickly as humanly possible. Quote Link to comment Share on other sites More sharing options...
Michael D. Posted October 21, 2013 Report Share Posted October 21, 2013 Update 10/21/2013 We have determined after an extensive investigation that absolutely no data was lost on October 3rd. Due to us preventing customers from being able to change their First and Last Name on their own and the exploit relying upon changing the First name the exploit attempts failed. We saved an instance of our server moments after the exploitation attempt was discovered for investigation. We reviewed all logs and only one attack was attempted before we disabled our systems. We replicated the attack and verified that with the fields locked - the attack failed. Additionally we found that if the attack succeeds that it changes the client's account that perpetrated the attack to all 1's. After reviewing the logs we found the client account responsible for the attack and verified that their personal information was intact and not set to 1s - it was intact. No information was lost, at all. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.