Just thought I would post some information regarding a "backdoor" in which many web hosts fail to secure.
If you run WHMCS on the same server you setup client accounts, someone can simply sign-up and easily access your WHMCS configuration file.
All it takes is for the user to upload a shell script and execute the following command:
Quote:
cat /path/to/your/configuration.php-file/
From there, they can access your configuration settings (MySQL) and create an administrator account.
How to fix:
If you have already disabled functions in your php.ini file, then you should be fine. If not, you will want to disable the following functions in your php.ini file:
Quote:
disable_functions="exec, shell_exec, proc_close, proc_open, pope n,system, passthru, escapeshellarg, escapeshellcmd, symlink"
You may want to enable safe_mode as well, but this may cause issues for certain scripts.
I would highly recommend installing mod suPHP and php cgi or simply move your "master" account to a different server.
So I've been using WHMCS for a while, and there's something I'm a little concerned about with the whole keeping customers credit cards for recurring payments.
I've downloaded a backup copy of the database and I see that the passwords and credit card information is encrypted. That's all nice and handy but the CC hash is also stored right in the configuration file. That means that if someone gains access to the server and just grabs the database + config file they would then be able to view all that info correct? Maybe someone who knows a little more about WHMCS can tell me if this is correct or not?
this is not a WHMCS vulnerability, & you are most likely not affected if you have used the Further Security Tutorials, given by WHMCS.
1.) What has happened?
A professional hacker, signs up as a client, & adds a shell script to your attachments/downloads folder. He gains complete access to your WHMCS admin, & changes your paypal & other gateway emails/accounts, to his emails/accounts.
2.) What to do? Check your attachments/downloads folders, for any such scripts. Use - [url]Furthur_Security_Steps to secure it.
Go to Payment Gateways, & check if the accounts are yours.
3.) How do I know so much about this? Our installation, was also hacked. But, this hacker made a mistake. He used his email account password, for signing up. I could get into his email, & see who has been hacked. I could also get into his PayPal & Egold, & refund all payments intended to go to LaceHost (me). I saw other host's payments too.
4.) Hacker has changed his modus operandi. He now changes the paypal, to some other host's paypal, instead of his. He also deleted tables from your database, may create a new administrator account, may modify other accounts, add affiliate commission etc.
5.) For more information on this hacker, Add me on IM - lacehost [dot] live1 [at] yahoo [dot] com
6.) How many have been hacked? According to what I saw in his PayPal, & his email, atleast 15 hosts have been hacked.
If your paypal has been changed to some other host's paypal, please do not blame them for hacking, we really do not need an inter-industry war here
I would like to request from people here that use FreeBSD to give us some tips of what should we do to protect and secure our FreeBSD dedicated servers.. I know there are many threads about it and i have searched them, but none of them are talking specifically for FreeBSD (most of them are for linux) and i would like to know exactly what do so as to be 100% protected..
If possible give and some tutorials or sites with tutorials so as to help us..
i am going to run a personal dedicated server which means that none else except me will have access to the server (if that helps you to give more specific info)
I run a web hosting company and one of my servers is a LAMP server running CentOs 5. A user of mine has a Joomla installation running to manage his website and he has run into the following problem that I am puzzled by.
When Joomla adds a component or module to itself, or when a user uses the Joomla upload functionality, Joomla will add the new files under the user name "apache". This makes sense as it is the apache service running PHP that is actually creating the files.
However, when he FTP's into the account to modify these files, he doesn't have the appropriate permissions to do so as he doesn't have a root level login, just permissions on his home directory which is the site. Any help would be much appreciated.
Also, does anyone know how to change the owner/group of a directory and all of its sub directories in Linux without changing the actual permissions? I.e. some of the files in the folder have different permissions (0644 as apposed to 0755) than its parent but if I do a top down user/group change on the folder it will change everything in that folder to 0755.
I just setup my WHMCS and i see it has an option to put in a SSL Cert. Now i was wondering If I would still need to do this if im going to use paypal for my CC processing using a merchant account?
Or is the SSL also to protect my clients login information and such?
Now, first of all... I'm not sure if this is a problem with WHMCS or some other piece of software with a security hole, but I thought I should post here.
Our WHMCS got hacked earlier today and the hacker sent out a to be honest, unacceptable email to all clients, I won't go into detail but lets just say it directly insulted them.
Now apart from ruining our reputation and client relationships, I am now completely paranoid that it will happen again. I'd also like to know how it happened in the first place. The hacker signed up for a hosting account, and then sent the email. I have no idea how he/she did it, but when I look at the admin log in WHMCS, it shows the username "hacked" as logging in (see image).http://img378.imageshack.us/img378/2560/hackedmh9.png
Just a warning to everyone out there. His IP address was 86.132.228.82.
We've been using WHMCS for a while and every time a customer paid via. 2checkout it works but when they click "Finalize Payment" on 2co, it goes to the callback URL, but the gateway callback URL is blank. PayPal works but 2co doesn't. The reason it's a problem is it doesn't mark the payment as "paid" so I have to confirm it manually; a pain.
Yes, I've contacted WHMCS.com but they weren't too sure about it; they told me to add a line in configuration.php "$display_errors="on"" but it didn't do much for this problem.
I want to use whmcs with webmin as its a free utility. though i am not getting how to setup a cron job and email piping on the same. I have tried using php -q /var/www/pipe/pipe.php in my scheduled cron jobs in webmin. But it everytime results in an error. Also i have tried using /usr/local/bin/php -q /var/www/whmcs/pipe/pipe.php . But still shows error.
when a server's resources get full. I'm mostly concerned with disk space. Do you start migrating some customers to another server? What's the process for this?
I'm currently reselling/hosting with godaddy and while their products and pricing and acceptable, the reseller store they provide is just horrible. The design is pathetic and dated and it is very limited in how how much presentation we have control over.
That being said, I have been looking into WHMCS to run a store on my own website and quite like what I see. I was wondering if somebody can recommend a reputable and cost-effective as the only control panels WHMCS supports is Plesk and Cpanel. (Plesk would be preferred as I have had more experience with it.)
I have a reseller account with Reseller Zoom. My problem started 72 hours ago when I noticed my WHMCS was not working on my website. I was also recieving Cron Daemon emails stating:
Site error: the file <b>/home/tmass10/public_html/clients/admin/cron.php</b> requires the ionCube PHP Loader ioncube_loader_lin_5.2.so to be installed by the site administrator.
at this time i was using the standard WHMCS cron: php -q /home/tmass10/public_html/clients/admin/cron.php
RZ told me they made a custom php.ini file and placed it in my directory. Then said to change my Cron job to
I currently have a reseller account that uses CPanel/WHM and includes a free WHMCS license, but am looking to upgrade to a VPS or perhaps a cheap dedicated server.
Does anyone have any recommendations for a VPS provider that includes CPanel/WHM? It would also be nice if they include free or discounted WHMCS licenses.
Ive just modified the WHMCS Packages/WHM Packages now its displaying the first Package quota and somehow Unlimited Bandwidth but i have nowhere unlimited Bandwidth defined Any Ideas?
It should say 2500MB Space and 500GB Bandwidth
SOLVED: Looks like WHMCS is updating also the Account packages as soon the Cron Job is executing the cron script. I used admin/cron.php to make it refresh and it worked.
But i still have the problem that its displaying Unlimited Bandwidth
I have been having a tough time installing WHMCS on my VPS. Most of it is of my own making- I didn't have php.ini in the right folders.
But, even after putting it in all the right folders (the root whmcs folder, the admin subfolder and install subfolder) with register_globals on and the ioncube extension loaded, I am still getting a 403 error when I type in the url www.mydomain.com/whmcs/install and an internal server error (500) when I type in www.mydomain.com/whmcs/install/install.php
Matt has tried his best to help as has my hosting company, but I am still lost. I am running php as cgi with phpsuexec turned on. I will be thankful for any advice to get this working.
WHMCS wasn't working for me so I contacted there support and they said a firewall is blocking it, the only firewall I know i have installed is apf. What exactly do I need to unblock and how do I do it.
I'm a hosting reseller, I used Lxadmin. I can not connect WHMCS to My Lxadmin module.How to create the WHMCS server setting for LXAdmin?
Nameservers is okay, it's so simple. I need these values example:
Edit Server Name : [?] Hostname: [localhost] or [the real hostname] IP Address: [The main IP address] Monthly Cost: [not important] Datacenter/NOC: [not important] Maximum No. of Accounts:
Due to point-1 above, I still can not create a new account based on my lxadmin resouce plan. If no. 1 fixed, what should I fill/choose bellow?
Get from server Get the available choices from the serverResource Plan: [my lxadmin res plan] DNS Template: [mylxadmin created .dnst] Wev Server:[?] Mail Server: [?] MySQL Server:[?] DNS Servers: [ns1.mydomain.tld, ns2.mydomain.tld]
i am wondering does anyone have module that will work with WHMCS to create a vps? If not can someone point me in the right direction, the server is windows server 2003 and it has virtuozzo. if you need anymore information please let me know. And the only reason why i have virtuozzo is because i got offered it for free by theplanet.
i have a proeblem regarding my whmcs billing script. It is not sending any kind of emails (welcome emails or support ticket notification mails etc). i even looked in my spam folder of my personal gmail account, as well as other email accounts. The server can send out emails, but not WHMCS. Port 25 also, is not blocked on the server
I have nothing to do with it. Just passing it along.
What is veportal?
vePortal is a VPS Commanding total system control Web-Based system that utilizes PHP Hyper-Threading resulting in major acceleration over competing products, As long as your server can meet the recommended system requirements our control panel and your users will never wait for a page to load for longer than the average website.
to place the status file that comes with WHMCS to my servers in a place that can be reached by a browser so that the details will be displayed in WHMCS.
