WHMCS.com website hacked - security precautions inside

Posilan said:
I'm aware of the leaked data and the main concerns would be if you have stored a credit card or if you put information in tickets that ought not to be there such as still live passwords etc.

If your customers have been worried about it, it would have been far better (IMO) to reassure them that none of their information had been compromised and it was not your server that had been hacked, rather than plaster a banner across your website stating WHMCS had been hacked and you have shut down your online ordering system as a result - this alone is likely to cause panic to your customers who probably were either unconcerned or not aware of the problem in the first place.

Remember - the hack that happened can happen on any platform - it was not caused by WHMCS software.

Steve
Click to expand...

I have reassured my clients and only placed a one line on my page after reassuring my clients, stating that due to the WHMCS hack the clientarea has been disabled and ordering suspended.

but these clients have also read the WHT thread that doubts the security WHMCS has in place with hostgator etc.
If clients leave this reduces revenue, so i have to do something about this and if this means moving from WHMCS then this is what i am prepared to do. I have just p[aid my WHMCS invoice so this will remain up for a month to see if anything happens, but i am moving my clients to a CE install ( at least they own their equipment and use inhouse techs etc.)
 
Sad day indeed. Hopefully they are able to get things corrected and not too many details were unencrypted.

easyhostmedia, I wouldn't suggest pulling a "knee jerk reaction" and bail to a different billing system. It is ALOT of work to build a new billing system correctly for your products and make sure the flow of things is proper.

While we use ClientExec currently and it works for us, it is lacking in several features that we wish we had, that are included by default in WHMCS. We used WHMCS in the past but it had a bug that they were less than enthused about fixing so we left. However that issue has been resolved and we would love to switch back, however, when comparing apples to apples and rebuilding everything we have in our current billing system into a new one, is a not a cheap or easy task.

Sure they have import scripts but I have seen those go horribly wrong and not work properly. Plus we would now have to teach/tell our clients how to use the new billing system after they are already comfortable with the current system.

My suggestions for any host running WHMCS or any billing machine for that matter: DON'T PANIC!!! Start immediately with a top down/inside out, every square inch security inspection of your billing servers. Disable unneeded ports, use complex passwords greater than 16 characters, disable root access if possible, install a good firewall, review logs for any strange activity, and be honest with your clients.

Honesty with your clients will go a long ways to improve your relations with them during times of outages or what not. Who likes to admit they made a mistake or they are having network issues? No one obviously, but clients appreciate the honesty and are more likely to stay with you after the trouble passes if you take care of them.

Easyhostmedia i think what you should do at this point, is email your clients, explain the issues, give them steps to take to secure their whmcs accounts and their user accounts on the servers, disable the orders for a day or so to do your security audit, post a message on your systems as to WHY you are doing such said things and give them a time frame on when it will be completed.

Also talk to the clients who canceled, find out why they canceled and see if you can dispell any misinformation they may have. Who knows, going above/beyond might earn you a bigger chunk of their business.

everyone just needs to take a deep breath about this incident and don't make any rash decisions yet until more details come out, but a top down security audit is probably in order anyways for everyone.
 
I dont understand why your clients needs to worry? did whmcs.com have your site database? were your site database was leaked? was your client ordered something from you and you store their info at whmcs.com database? are you matt the owner of whmcs and also running a hosting business? What problem did you and your client faced? Just think before moving to someone else.

what if someone gain your client email id access and open a ticket and ask for server login details. wont you provide it? if no then they are going ot leave you too. if yes then means you are also vulnerable and customer should leave you

Now tell me whmcs was hacked and you were using it. Sincerely no one should use you as a hosting provider. why should they use you when you use something which was hacked?

There are many thing to understand not just saying anything and doing without a reason
 
Very unfortunate, indeed.. :sad:

It's a good thing I pay all my invoices with them, using PayPal, so no card details will be compromised. :thumbup:

I wish Matt and WHMCS the best of luck, and I hope they can learn from this so that it NEVER happens again.:crash:
 
spoke at length to one of the WHMCS techs on the phone early today (since this happened i have had about 1 hrs sleep) locking down everything, emailing clients with updates as matt released them and even telephoning clients.
dont forget the hackers had control of the licence servers as Matt had everything on the 1 box, so they have every licence issued along with install directories and IPS used.

I actually had 23 clients request cancellation once the DB was released by the hackers, but after many hours on the phone etc. most have withdrawn the cancell requests, i still have 4 that still want to leave if i stay with WHMCS.

WHMCS are under a major DDOS attack at the moment (since 1am) so their site is up and down.

I have still taken orders today, but manually as when anyones contacted me i have asked them to state the plan and provide their details through livechat and i have manually invoiced them and manually set up the orded on the servers.
 
easyhostmedia said:
spoke at length to one of the WHMCS techs on the phone early today (since this happened i have had about 1 hrs sleep) locking down everything, emailing clients with updates as matt released them and even telephoning clients.
dont forget the hackers had control of the licence servers as Matt had everything on the 1 box, so they have every licence issued along with install directories and IPS used.

I actually had 23 clients request cancellation once the DB was released by the hackers, but after many hours on the phone etc. most have withdrawn the cancell requests, i still have 4 that still want to leave if i stay with WHMCS.
Click to expand...
That's totally bizzare - we have had one client ask us if we had heard what had happened. That's it.

Do you maybe think that your emailing customers and posting on your website has worried your customers more than necessary and in turn given them the feeling that their data had been compromised and causing them to panic?

As for them getting the install directories and IP addresses, well the IP address you can get with a ping, the licence information by adding /?licensedebug to the end of the installation URL and the install directory shouldn't be an issue if the box is secure anyway.

Steve
 
Posilan said:
Do you maybe think that your emailing customers and posting on your website has worried your customers more than necessary and in turn given them the feeling that their data had been compromised and causing them to panic?
Click to expand...

I never had 1 enquiry after posting the basic information of the hack and that our server was secure and not compromised. it was only after it was reported (not by me) that the hackers had made publically available the WHMCS DB that clients started to contact me and this is when i placed the notice on my site
 
easyhostmedia said:
I never had 1 enquiry after posting the basic information of the hack and that our server was secure and not compromised. it was only after it was reported (not by me) that the hackers had made publically available the WHMCS DB that clients started to contact me and this is when i placed the notice on my site
Click to expand...
Ah well, hopefully lessons will be learnt by WHMCS (it sounds like they are setting up some form of proper infrastructure now) to prevent similar in the future.

It's a difficult time for the guys at WHMCS, but it could have been a lot worse - at least it wasn't an exploit in WHMCS itself - that would have been worrying.

Steve
 
just got this message from a company called AJ Online Services. please note what i have highlighted in red. i will be reporting this as spam

From: WHMCS Updates (whmcs@ajonlineservices.co.uk)
Sent: Tuesday, May 22, 2012 6:25 PM
To: The Easyhost Media Group
Subject: WHMCS Updates for The Easyhost Media Group

Your company name (The Easyhost Media Group) has been included in this message to verify it’s authenticity.



You have received this message because you are a WHMCS client and we would like to make you aware of a high security threat.



Please note that you are NOT a client of ours, we are mearly trying to warn all WHMCS clients of the recent attacks.



By now I am sure that you have heard all about the recent attacks on WHMCS.

A group known as UGNazi has launched an attack on WHMCS.com and as a result, they have leaked information relating to WHMCS clients payment details and license keys.



We are actively following WHMCS and keeping all their clients updated on the situation at present.

In the first instance, we would advise notifying the card issuer if you have any card payment details linked to your WHMCS account.



For further updates you can follow us on Facebook and/or Twitter to keep up to date with the current progress and to watch for any WHMCS security updates and patches released to keep your own instance of WHMCS safe from attack.




This is not a request or a requirement, mearly a suggestion until WHMCS social media accounts are under control once more by the correct WHMCS staff.



At present, the 'WHMCS Addons' Twitter account is still under correct control. Although it is not directly part of WHMCS they are supplying valid updates and news via twitter, so we also suggest that you follow or watch them - @whmcsaddon



We will also be trying to keep everyone informed of any news relating to the attacks and how it may affect their clients and in turn their clients own customers.
This email is not a plug so we wont give our details directly in this email, but our Twitter and Facebook details can be found below for anyone interested in doing so.



Please be safe and keep your customers secure.



We have not purchased your details, we have mearly sent this email to all WHMCS clients recorded in the WHMCS database leaked by the UGNazi group, in order for us to advise and warn people who have not currently heard of the recent events.

This is not a newsletter, nor have you subscribed to us.
This will be the ONLY email we send you and your address will be removed upon delivery of this mail.





Regards

- AJ Online Services
Click to expand...
 
Well, from our end, we have had NO clients contact us regarding the event. Any data that was submitted to WHMCS over the years has long since been changed (it's changed at any time anyone accesses a server or system.

The licencing didn't bother us as we have an owned license. Support renewals were done using PayPal, so no credit card information exposure either.

The event is unfortunate, but it does happen some times. Hopefully they'll be able to get to the root of the situation and secure it for next time.

As far as our individual clients being directly impacted, they're not. OUR information (login or credit card or paypal info) might be exposed to WHMCS.COM, however our individual clients information is not at risk in this event.

Clients cancelling over this event is pretty unreal - we've not had any negative comments from users on this event - actually *NO* comments from people at all!

The hack was not the WHMCS system, it was the server that WHMCS was hosting on. The software, at least as what has been disclosed so far, is not and was not vulnerable.
 
Posilan said:
That's worse than spam, that's using stolen data. It's also altogether a pretty low thing to do...
Click to expand...

It seems RackSRV are going to take action against the IP account user and Virginmedia are going to take action against the user of the internet connection used
 
Bullten said:
just tell me if they have you license key then what they can do with that?
Click to expand...

if they gain access to the licence server they can gain access to config files and then change licence keys top prvent users access to their installations.

This is why WHMCS gained back control of the licence server first
 
like you said they have license key and thats dangerous. The license server was captured after 20-30 min of the attached. What it can harm now when they have only license key? I hope you are getting my point
 
Bullten said:
like you said they have license key and thats dangerous. The license server was captured after 20-30 min of the attached. What it can harm now when they have only license key? I hope you are getting my point
Click to expand...

the licence server did not just have the licence keys it has other info that relates to the licence keys and installations/paths.

but look at it this way the hackers have the licence keys and other info. the whole WHMCS db has been made public.

you can say not much harm or use at the moment, but take the recent base64 exploit merged with the leaked information or any other exploits that may be found.

what damage can be caused then

got a reply from pastebin to say

Hello,

Thank you for reporting. The content has now been removed.

Regards,

Pastebin Support
Click to expand...

i reported this Tue, May 22, 2012 at 1:00 PM and they replied Tue, May 22, 2012 at 8:40 PM
 
Last edited:
I think it's a little shady that a company used stolen data to "alert" clients of an affected company, however today I have received two email alerts from vendors who do use WHMCS outlining what occurred and letting us know our data wasn't accessed.

It's this type of communications that are helpful to clients if you are using the affected software, however using stolen data, there's no excuse for it.

We also have not had ANY questions from our clients about the WHMCS breach, however we will address them if they are asked.
 
You must log in or register to reply here.

Supporters

Back
Top