Jump to content
MDDHosting Forums

Emergency help desk / checkout maintenance


Scott

Recommended Posts

Update 10/21/2013

We have determined after an extensive investigation that absolutely no data was lost on October 3rd. Due to us preventing customers from being able to change their First and Last Name on their own and the exploit relying upon changing the First name the exploit attempts failed. We saved an instance of our server moments after the exploitation attempt was discovered for investigation. We reviewed all logs and only one attack was attempted before we disabled our systems. We replicated the attack and verified that with the fields locked - the attack failed.

 

Additionally we found that if the attack succeeds that it changes the client's account that perpetrated the attack to all 1's. After reviewing the logs we found the client account responsible for the attack and verified that their personal information was intact and not set to 1s - it was intact.

 

No information was lost, at all.

 

UPDATE: All services have returned to normal.

 

If you are running a copy of WHMCS - please update to the latest version immediately -> http://blog.whmcs.com/?t=79427

====

Hello everyone,

 

In the last half hour, we learned of a new WHMCS exploit that was just released into the wild. While we have not yet seen any attacks as a result of this, we are conducting emergency maintenance on our WHMCS installation to ensure our database is not compromised. Until this maintenance is complete, we have setup password protection that will prevent anyone from loading mddhosting.com/support -- This means that you cannot place new orders, submit or review tickets online, view or pay invoices, access our KB, or do other tasks in our client area website.

 

We deeply apologize for any inconvenience and will do our best to resolve this in a timely manor while ensuring the security of our website and your data. Thank you for bearing with us.

 

Resellers: If you are using WHMCS, we advise you to take similar measures immediately. We are still investigating the exploit script and do not yet have specific mitigation instructions. You may also wish to check with the WHMCS.com website directly for further information, mitigation instructions, or patches.

 

When we have any updates or further information, we will post them here. Please feel free to ask any questions, however the majority of our effort will be spent on the maintenance to resolve this issue, and we don't have any other details or information at this time.

Link to comment
Share on other sites

We will update this thread when we have more information and in the near future we will send out a full disclosure email to all clients about the results of our investigation. First and foremost our priority is to ensure our client data is protected. We are now working diligently to perform a complete security audit and investigation to determine whether we were a target of this attack and, if so, what data was or was not revealed.

 

We will also be working on bringing additional security systems online to help prevent or mitigate such unforeseen attacks in the future.

Link to comment
Share on other sites

Anybody running WHMCS needs to update their software immediately -> http://blog.whmcs.com/?t=79427

 

The full download of WHMCS 5.2.8 which resolves this issue can be found in our client area under the product details, however, if you are running 5.2.7 you can simply download the file linked in the WHMCS Blog Post linked above and patch your installation using that method. As always we strongly suggest you keep your software fully up-to-date to keep you secure and in this instance it's imperative that you update your software to the latest version if you are running WHMCS.

 

We were hit by an attacker mere minutes before we were able to lock down our installation. After a complete and thorough investigation we were able to determine that they obtained nothing. our administrative usernames, email addresses, and passwords as well as a count of our clients. No client information was obtained by the attackers. nor were they able to access our administrative area due to double authentication.

 

WHMCS did release a patch and we verified this patch does close this vulnerability.

 

We are actively seeking solutions that will help us identify and prevent such attacks in the future should the situation ever occur again.

 

If you have any specific questions about this instance please open a support ticket requesting that the ticket be escalated to management along with your question and we will address your question as quickly as humanly possible.

Link to comment
Share on other sites

  • 3 weeks later...

Update 10/21/2013

We have determined after an extensive investigation that absolutely no data was lost on October 3rd. Due to us preventing customers from being able to change their First and Last Name on their own and the exploit relying upon changing the First name the exploit attempts failed. We saved an instance of our server moments after the exploitation attempt was discovered for investigation. We reviewed all logs and only one attack was attempted before we disabled our systems. We replicated the attack and verified that with the fields locked - the attack failed.

 

Additionally we found that if the attack succeeds that it changes the client's account that perpetrated the attack to all 1's. After reviewing the logs we found the client account responsible for the attack and verified that their personal information was intact and not set to 1s - it was intact.

 

No information was lost, at all.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...