WHMCS Security Protection
Jul 7, 2009
Just thought I would post some information regarding a "backdoor" in which many web hosts fail to secure.
If you run WHMCS on the same server you setup client accounts, someone can simply sign-up and easily access your WHMCS configuration file.
All it takes is for the user to upload a shell script and execute the following command:
Quote:
cat /path/to/your/configuration.php-file/
From there, they can access your configuration settings (MySQL) and create an administrator account.
How to fix:
If you have already disabled functions in your php.ini file, then you should be fine. If not, you will want to disable the following functions in your php.ini file:
Quote:
disable_functions="exec, shell_exec, proc_close, proc_open, pope n,system, passthru, escapeshellarg, escapeshellcmd, symlink"
You may want to enable safe_mode as well, but this may cause issues for certain scripts.
I would highly recommend installing mod suPHP and php cgi or simply move your "master" account to a different server.
View 3 Replies
ADVERTISEMENT
Apr 24, 2009
So I've been using WHMCS for a while, and there's something I'm a little concerned about with the whole keeping customers credit cards for recurring payments.
I've downloaded a backup copy of the database and I see that the passwords and credit card information is encrypted. That's all nice and handy but the CC hash is also stored right in the configuration file. That means that if someone gains access to the server and just grabs the database + config file they would then be able to view all that info correct? Maybe someone who knows a little more about WHMCS can tell me if this is correct or not?
View 1 Replies
View Related
May 19, 2008
this is not a WHMCS vulnerability, & you are most likely not affected if you have used the Further Security Tutorials, given by WHMCS.
1.) What has happened?
A professional hacker, signs up as a client, & adds a shell script to your attachments/downloads folder.
He gains complete access to your WHMCS admin, & changes your paypal & other gateway emails/accounts, to his emails/accounts.
2.) What to do?
Check your attachments/downloads folders, for any such scripts.
Use - [url]Furthur_Security_Steps to secure it.
Go to Payment Gateways, & check if the accounts are yours.
3.) How do I know so much about this?
Our installation, was also hacked. But, this hacker made a mistake.
He used his email account password, for signing up. I could get into his email, & see who has been hacked. I could also get into his PayPal & Egold, & refund all payments intended to go to LaceHost (me). I saw other host's payments too.
4.) Hacker has changed his modus operandi.
He now changes the paypal, to some other host's paypal, instead of his.
He also deleted tables from your database, may create a new administrator account, may modify other accounts, add affiliate commission etc.
5.) For more information on this hacker,
Add me on IM - lacehost [dot] live1 [at] yahoo [dot] com
6.) How many have been hacked?
According to what I saw in his PayPal, & his email, atleast 15 hosts have been hacked.
If your paypal has been changed to some other host's paypal, please do not blame them for hacking, we really do not need an inter-industry war here
View 14 Replies
View Related
Jun 21, 2007
I would like to request from people here that use FreeBSD to give us some tips of what should we do to protect and secure our FreeBSD dedicated servers.. I know there are many threads about it and i have searched them, but none of them are talking specifically for FreeBSD (most of them are for linux) and i would like to know exactly what do so as to be 100% protected..
If possible give and some tutorials or sites with tutorials so as to help us..
i am going to run a personal dedicated server which means that none else except me will have access to the server (if that helps you to give more specific info)
View 8 Replies
View Related
Oct 8, 2009
I am looking for some good ddos protection providers, via protected dns. I've searched on internet, but most of them are really expensive.
Please tell me some ddos protection providers what could help me.(gige is too expensive btw).
And I found some ddos protection scripts. How can a script protected a server from ddos? A sript like CSF or DDoS deflate?
View 12 Replies
View Related
Apr 4, 2008
I run a web hosting company and one of my servers is a LAMP server running CentOs 5. A user of mine has a Joomla installation running to manage his website and he has run into the following problem that I am puzzled by.
When Joomla adds a component or module to itself, or when a user uses the Joomla upload functionality, Joomla will add the new files under the user name "apache". This makes sense as it is the apache service running PHP that is actually creating the files.
However, when he FTP's into the account to modify these files, he doesn't have the appropriate permissions to do so as he doesn't have a root level login, just permissions on his home directory which is the site. Any help would be much appreciated.
Also, does anyone know how to change the owner/group of a directory and all of its sub directories in Linux without changing the actual permissions? I.e. some of the files in the folder have different permissions (0644 as apposed to 0755) than its parent but if I do a top down user/group change on the folder it will change everything in that folder to 0755.
View 10 Replies
View Related
Jul 21, 2009
When creating new packages and addons, do you have to create them in both systems or in WHMCS only?
View 4 Replies
View Related
Jan 30, 2008
I just setup my WHMCS and i see it has an option to put in a SSL Cert. Now i was wondering If I would still need to do this if im going to use paypal for my CC processing using a merchant account?
Or is the SSL also to protect my clients login information and such?
View 8 Replies
View Related
May 1, 2007
when i go to create a plan via whmcs to my cpanel server i get Server Command Error
Socket Connection Failed (No route to host)
but when i create on on my da box it works fine
View 14 Replies
View Related
Oct 31, 2008
Kayako and WHMCS
I am planning on purchasing Kayako Support Suite.
View 12 Replies
View Related
Nov 23, 2008
Now, first of all... I'm not sure if this is a problem with WHMCS or some other piece of software with a security hole, but I thought I should post here.
Our WHMCS got hacked earlier today and the hacker sent out a to be honest, unacceptable email to all clients, I won't go into detail but lets just say it directly insulted them.
Now apart from ruining our reputation and client relationships, I am now completely paranoid that it will happen again. I'd also like to know how it happened in the first place. The hacker signed up for a hosting account, and then sent the email. I have no idea how he/she did it, but when I look at the admin log in WHMCS, it shows the username "hacked" as logging in (see image).http://img378.imageshack.us/img378/2560/hackedmh9.png
Just a warning to everyone out there. His IP address was 86.132.228.82.
View 11 Replies
View Related
Jun 5, 2009
I am running CentOS FInal 4.7 everything is fine with WHMCS with exim until recently, I can't receive any email?
View 5 Replies
View Related
Mar 29, 2009
We've been using WHMCS for a while and every time a customer paid via. 2checkout it works but when they click "Finalize Payment" on 2co, it goes to the callback URL, but the gateway callback URL is blank. PayPal works but 2co doesn't. The reason it's a problem is it doesn't mark the payment as "paid" so I have to confirm it manually; a pain.
Yes, I've contacted WHMCS.com but they weren't too sure about it; they told me to add a line in configuration.php "$display_errors="on"" but it didn't do much for this problem.
View 3 Replies
View Related
Jul 30, 2009
It looks fine on Mozilla Firefox
[url]
but on internet explorer it all gets squashed into a sort of column.
I think it might be something like a float to left css but I’ve tried this and it doesn’t work.
View 2 Replies
View Related
Jun 1, 2009
I want to use whmcs with webmin as its a free utility. though i am not getting how to setup a cron job and email piping on the same. I have tried using php -q /var/www/pipe/pipe.php in my scheduled cron jobs in webmin. But it everytime results in an error. Also i have tried using /usr/local/bin/php -q /var/www/whmcs/pipe/pipe.php . But still shows error.
View 2 Replies
View Related
Jul 26, 2009
when a server's resources get full. I'm mostly concerned with disk space. Do you start migrating some customers to another server? What's the process for this?
View 14 Replies
View Related
Jun 28, 2008
I'm currently reselling/hosting with godaddy and while their products and pricing and acceptable, the reseller store they provide is just horrible. The design is pathetic and dated and it is very limited in how how much presentation we have control over.
That being said, I have been looking into WHMCS to run a store on my own website and quite like what I see. I was wondering if somebody can recommend a reputable and cost-effective as the only control panels WHMCS supports is Plesk and Cpanel. (Plesk would be preferred as I have had more experience with it.)
View 15 Replies
View Related
May 14, 2008
I have a reseller account with Reseller Zoom. My problem started 72 hours ago when I noticed my WHMCS was not working on my website. I was also recieving Cron Daemon emails stating:
Site error: the file <b>/home/tmass10/public_html/clients/admin/cron.php</b> requires the ionCube PHP Loader ioncube_loader_lin_5.2.so to be installed by the site administrator.
at this time i was using the standard WHMCS cron: php -q /home/tmass10/public_html/clients/admin/cron.php
RZ told me they made a custom php.ini file and placed it in my directory. Then said to change my Cron job to
php -c/home/tmass10/public_html/clients/admin/php.ini /home/tmass10/public_html/clients/admin/cron.php
At this point i noticed the WHMCS was loading again on my website. However I am still recieving Cron Job errors.
View 14 Replies
View Related
May 3, 2008
I currently have a reseller account that uses CPanel/WHM and includes a free WHMCS license, but am looking to upgrade to a VPS or perhaps a cheap dedicated server.
Does anyone have any recommendations for a VPS provider that includes CPanel/WHM? It would also be nice if they include free or discounted WHMCS licenses.
View 11 Replies
View Related
Jul 12, 2007
Is there a way to make it only paypal verified people can order?
View 5 Replies
View Related
Oct 8, 2007
I know with my ecom sites that I don’t need an SSL if I am using paypal for my orders. Do I need it if I intend to use paypal for clientexec or whmcs?
View 10 Replies
View Related
Feb 16, 2007
I was just wanting to get the thoughts of people regards what they feel is better and why?
WHM AutoPilot
or
WHM CompleteSolution
WHY?
Tell me your thoughts on both and why you use/rate one over the other please.
View 0 Replies
View Related
Jul 29, 2007
Ive just modified the WHMCS Packages/WHM Packages now its displaying the first Package quota and somehow Unlimited Bandwidth but i have nowhere unlimited Bandwidth defined Any Ideas?
It should say 2500MB Space and 500GB Bandwidth
SOLVED: Looks like WHMCS is updating also the Account packages as soon the Cron Job is executing the cron script. I used admin/cron.php to make it refresh and it worked.
But i still have the problem that its displaying Unlimited Bandwidth
View 0 Replies
View Related
Jun 23, 2007
I have been having a tough time installing WHMCS on my VPS. Most of it is of my own making- I didn't have php.ini in the right folders.
But, even after putting it in all the right folders (the root whmcs folder, the admin subfolder and install subfolder) with register_globals on and the ioncube extension loaded, I am still getting a 403 error when I type in the url www.mydomain.com/whmcs/install and an internal server error (500) when I type in www.mydomain.com/whmcs/install/install.php
Matt has tried his best to help as has my hosting company, but I am still lost. I am running php as cgi with phpsuexec turned on. I will be thankful for any advice to get this working.
View 13 Replies
View Related
Dec 1, 2007
WHMCS wasn't working for me so I contacted there support and they said a firewall is blocking it, the only firewall I know i have installed is apf. What exactly do I need to unblock and how do I do it.
View 14 Replies
View Related
Jun 9, 2008
I had recently had an account signup through WHMCS, When I woke up in the Morning the Account was suspended and it alerted me as a Fraud.
What do I do with that Account that is in WHMCS?
View 13 Replies
View Related
Apr 16, 2009
I'm a hosting reseller, I used Lxadmin.
I can not connect WHMCS to My Lxadmin module.How to create the WHMCS server setting for LXAdmin?
Nameservers is okay, it's so simple.
I need these values example:
Edit Server
Name : [?]
Hostname: [localhost] or [the real hostname]
IP Address: [The main IP address]
Monthly Cost: [not important]
Datacenter/NOC: [not important]
Maximum No. of Accounts:
Server Details
Type : [Lxadmin]
Username: [My reseller account lxadmin username]
Password: [My reseller account lxadmin password]
Due to point-1 above, I still can not create a new account based on my lxadmin resouce plan.
If no. 1 fixed, what should I fill/choose bellow?
Get from server Get the available choices from the serverResource Plan: [my lxadmin res plan]
DNS Template: [mylxadmin created .dnst] Wev Server:[?]
Mail Server: [?] MySQL Server:[?]
DNS Servers: [ns1.mydomain.tld, ns2.mydomain.tld]
View 0 Replies
View Related
Jan 25, 2009
i am wondering does anyone have module that will work with WHMCS to create a vps? If not can someone point me in the right direction, the server is windows server 2003 and it has virtuozzo. if you need anymore information please let me know. And the only reason why i have virtuozzo is because i got offered it for free by theplanet.
View 9 Replies
View Related
Apr 4, 2009
i have a proeblem regarding my whmcs billing script. It is not sending any kind of emails (welcome emails or support ticket notification mails etc). i even looked in my spam folder of my personal gmail account, as well as other email accounts. The server can send out emails, but not WHMCS. Port 25 also, is not blocked on the server
View 13 Replies
View Related
Sep 23, 2009
Check it out:
[url]
I have nothing to do with it. Just passing it along.
What is veportal?
vePortal is a VPS Commanding total system control Web-Based system that utilizes PHP Hyper-Threading resulting in major acceleration over competing products, As long as your server can meet the recommended system requirements our control panel and your users will never wait for a page to load for longer than the average website.
View 3 Replies
View Related
Dec 16, 2008
to place the status file that comes with WHMCS to my servers in a place that can be reached by a browser so that the details will be displayed in WHMCS.
Any ideas where I can put it?
All 3 servers are running CentOS 5.2
View 12 Replies
View Related
