WHMCS Security Protection

Jul 7, 2009

Just thought I would post some information regarding a "backdoor" in which many web hosts fail to secure.

If you run WHMCS on the same server you setup client accounts, someone can simply sign-up and easily access your WHMCS configuration file.

All it takes is for the user to upload a shell script and execute the following command:

Quote:

cat /path/to/your/configuration.php-file/

From there, they can access your configuration settings (MySQL) and create an administrator account.

How to fix:

If you have already disabled functions in your php.ini file, then you should be fine. If not, you will want to disable the following functions in your php.ini file:

Quote:

disable_functions="exec, shell_exec, proc_close, proc_open, pope n,system, passthru, escapeshellarg, escapeshellcmd, symlink"

You may want to enable safe_mode as well, but this may cause issues for certain scripts.

I would highly recommend installing mod suPHP and php cgi or simply move your "master" account to a different server.

View 3 Replies


ADVERTISEMENT

WHMCS Security

Apr 24, 2009

So I've been using WHMCS for a while, and there's something I'm a little concerned about with the whole keeping customers credit cards for recurring payments.

I've downloaded a backup copy of the database and I see that the passwords and credit card information is encrypted. That's all nice and handy but the CC hash is also stored right in the configuration file. That means that if someone gains access to the server and just grabs the database + config file they would then be able to view all that info correct? Maybe someone who knows a little more about WHMCS can tell me if this is correct or not?

View 1 Replies View Related

[Security Alert] - WHMCS Users

May 19, 2008

this is not a WHMCS vulnerability, & you are most likely not affected if you have used the Further Security Tutorials, given by WHMCS.

1.) What has happened?

A professional hacker, signs up as a client, & adds a shell script to your attachments/downloads folder.
He gains complete access to your WHMCS admin, & changes your paypal & other gateway emails/accounts, to his emails/accounts.

2.) What to do?
Check your attachments/downloads folders, for any such scripts.
Use - [url]Furthur_Security_Steps to secure it.

Go to Payment Gateways, & check if the accounts are yours.

3.) How do I know so much about this?
Our installation, was also hacked. But, this hacker made a mistake.
He used his email account password, for signing up. I could get into his email, & see who has been hacked. I could also get into his PayPal & Egold, & refund all payments intended to go to LaceHost (me). I saw other host's payments too.

4.) Hacker has changed his modus operandi.
He now changes the paypal, to some other host's paypal, instead of his.
He also deleted tables from your database, may create a new administrator account, may modify other accounts, add affiliate commission etc.

5.) For more information on this hacker,
Add me on IM - lacehost [dot] live1 [at] yahoo [dot] com

6.) How many have been hacked?
According to what I saw in his PayPal, & his email, atleast 15 hosts have been hacked.

If your paypal has been changed to some other host's paypal, please do not blame them for hacking, we really do not need an inter-industry war here

View 14 Replies View Related

Protection / Security Of FreeBSD !

Jun 21, 2007

I would like to request from people here that use FreeBSD to give us some tips of what should we do to protect and secure our FreeBSD dedicated servers.. I know there are many threads about it and i have searched them, but none of them are talking specifically for FreeBSD (most of them are for linux) and i would like to know exactly what do so as to be 100% protected..

If possible give and some tutorials or sites with tutorials so as to help us..

i am going to run a personal dedicated server which means that none else except me will have access to the server (if that helps you to give more specific info)

View 8 Replies View Related

DDoS Protection Providers Vs DDoS Protection Scripts

Oct 8, 2009

I am looking for some good ddos protection providers, via protected dns. I've searched on internet, but most of them are really expensive.

Please tell me some ddos protection providers what could help me.(gige is too expensive btw).

And I found some ddos protection scripts. How can a script protected a server from ddos? A sript like CSF or DDoS deflate?

View 12 Replies View Related

Joomla Security / Linux Security

Apr 4, 2008

I run a web hosting company and one of my servers is a LAMP server running CentOs 5. A user of mine has a Joomla installation running to manage his website and he has run into the following problem that I am puzzled by.

When Joomla adds a component or module to itself, or when a user uses the Joomla upload functionality, Joomla will add the new files under the user name "apache". This makes sense as it is the apache service running PHP that is actually creating the files.

However, when he FTP's into the account to modify these files, he doesn't have the appropriate permissions to do so as he doesn't have a root level login, just permissions on his home directory which is the site. Any help would be much appreciated.

Also, does anyone know how to change the owner/group of a directory and all of its sub directories in Linux without changing the actual permissions? I.e. some of the files in the folder have different permissions (0644 as apposed to 0755) than its parent but if I do a top down user/group change on the folder it will change everything in that folder to 0755.

View 10 Replies View Related

DNP + WHMCS

Jul 21, 2009

When creating new packages and addons, do you have to create them in both systems or in WHMCS only?

View 4 Replies View Related

SSL And WHMCS

Jan 30, 2008

I just setup my WHMCS and i see it has an option to put in a SSL Cert. Now i was wondering If I would still need to do this if im going to use paypal for my CC processing using a merchant account?

Or is the SSL also to protect my clients login information and such?

View 8 Replies View Related

Whmcs

May 1, 2007

when i go to create a plan via whmcs to my cpanel server i get Server Command Error
Socket Connection Failed (No route to host)

but when i create on on my da box it works fine

View 14 Replies View Related

Kayako And WHMCS

Oct 31, 2008

Kayako and WHMCS

I am planning on purchasing Kayako Support Suite.

View 12 Replies View Related

WHMCS Hacked

Nov 23, 2008

Now, first of all... I'm not sure if this is a problem with WHMCS or some other piece of software with a security hole, but I thought I should post here.

Our WHMCS got hacked earlier today and the hacker sent out a to be honest, unacceptable email to all clients, I won't go into detail but lets just say it directly insulted them.

Now apart from ruining our reputation and client relationships, I am now completely paranoid that it will happen again. I'd also like to know how it happened in the first place. The hacker signed up for a hosting account, and then sent the email. I have no idea how he/she did it, but when I look at the admin log in WHMCS, it shows the username "hacked" as logging in (see image).http://img378.imageshack.us/img378/2560/hackedmh9.png

Just a warning to everyone out there. His IP address was 86.132.228.82.

View 11 Replies View Related

Exim With WHMCS

Jun 5, 2009

I am running CentOS FInal 4.7 everything is fine with WHMCS with exim until recently, I can't receive any email?

View 5 Replies View Related

WHMCS Callback

Mar 29, 2009

We've been using WHMCS for a while and every time a customer paid via. 2checkout it works but when they click "Finalize Payment" on 2co, it goes to the callback URL, but the gateway callback URL is blank. PayPal works but 2co doesn't. The reason it's a problem is it doesn't mark the payment as "paid" so I have to confirm it manually; a pain.

Yes, I've contacted WHMCS.com but they weren't too sure about it; they told me to add a line in configuration.php "$display_errors="on"" but it didn't do much for this problem.

View 3 Replies View Related

Customizing Whmcs

Jul 30, 2009

It looks fine on Mozilla Firefox

[url]

but on internet explorer it all gets squashed into a sort of column.

I think it might be something like a float to left css but I’ve tried this and it doesn’t work.

View 2 Replies View Related

Using Whmcs With Webmin.

Jun 1, 2009

I want to use whmcs with webmin as its a free utility. though i am not getting how to setup a cron job and email piping on the same. I have tried using php -q /var/www/pipe/pipe.php in my scheduled cron jobs in webmin. But it everytime results in an error. Also i have tried using /usr/local/bin/php -q /var/www/whmcs/pipe/pipe.php . But still shows error.

View 2 Replies View Related

DotNetPanel & WHMCS

Jul 26, 2009

when a server's resources get full. I'm mostly concerned with disk space. Do you start migrating some customers to another server? What's the process for this?

View 14 Replies View Related

WHMCS & Hosting

Jun 28, 2008

I'm currently reselling/hosting with godaddy and while their products and pricing and acceptable, the reseller store they provide is just horrible. The design is pathetic and dated and it is very limited in how how much presentation we have control over.

That being said, I have been looking into WHMCS to run a store on my own website and quite like what I see. I was wondering if somebody can recommend a reputable and cost-effective as the only control panels WHMCS supports is Plesk and Cpanel. (Plesk would be preferred as I have had more experience with it.)

View 15 Replies View Related

WHMCS CronJob

May 14, 2008

I have a reseller account with Reseller Zoom. My problem started 72 hours ago when I noticed my WHMCS was not working on my website. I was also recieving Cron Daemon emails stating:

Site error: the file <b>/home/tmass10/public_html/clients/admin/cron.php</b> requires the ionCube PHP Loader ioncube_loader_lin_5.2.so to be installed by the site administrator.

at this time i was using the standard WHMCS cron: php -q /home/tmass10/public_html/clients/admin/cron.php

RZ told me they made a custom php.ini file and placed it in my directory. Then said to change my Cron job to

php -c/home/tmass10/public_html/clients/admin/php.ini /home/tmass10/public_html/clients/admin/cron.php

At this point i noticed the WHMCS was loading again on my website. However I am still recieving Cron Job errors.

View 14 Replies View Related

VPS With CPanel And WHMCS

May 3, 2008

I currently have a reseller account that uses CPanel/WHM and includes a free WHMCS license, but am looking to upgrade to a VPS or perhaps a cheap dedicated server.

Does anyone have any recommendations for a VPS provider that includes CPanel/WHM? It would also be nice if they include free or discounted WHMCS licenses.

View 11 Replies View Related

Whmcs Settings?

Jul 12, 2007

Is there a way to make it only paypal verified people can order?

View 5 Replies View Related

SSL For Clientexec Or Whmcs If I Am Using Pay Pal

Oct 8, 2007

I know with my ecom sites that I don’t need an SSL if I am using paypal for my orders. Do I need it if I intend to use paypal for clientexec or whmcs?

View 10 Replies View Related

WHM AutoPilot V's WHMCS

Feb 16, 2007

I was just wanting to get the thoughts of people regards what they feel is better and why?

WHM AutoPilot
or
WHM CompleteSolution

WHY?

Tell me your thoughts on both and why you use/rate one over the other please.

View 0 Replies View Related

WHMCS- Packages

Jul 29, 2007

Ive just modified the WHMCS Packages/WHM Packages now its displaying the first Package quota and somehow Unlimited Bandwidth but i have nowhere unlimited Bandwidth defined Any Ideas?

It should say 2500MB Space and 500GB Bandwidth

SOLVED: Looks like WHMCS is updating also the Account packages as soon the Cron Job is executing the cron script. I used admin/cron.php to make it refresh and it worked.

But i still have the problem that its displaying Unlimited Bandwidth

View 0 Replies View Related

Setting Up Whmcs

Jun 23, 2007

I have been having a tough time installing WHMCS on my VPS. Most of it is of my own making- I didn't have php.ini in the right folders.

But, even after putting it in all the right folders (the root whmcs folder, the admin subfolder and install subfolder) with register_globals on and the ioncube extension loaded, I am still getting a 403 error when I type in the url www.mydomain.com/whmcs/install and an internal server error (500) when I type in www.mydomain.com/whmcs/install/install.php

Matt has tried his best to help as has my hosting company, but I am still lost. I am running php as cgi with phpsuexec turned on. I will be thankful for any advice to get this working.

View 13 Replies View Related

WHMCS Being Blocked,

Dec 1, 2007

WHMCS wasn't working for me so I contacted there support and they said a firewall is blocking it, the only firewall I know i have installed is apf. What exactly do I need to unblock and how do I do it.

View 14 Replies View Related

Fraud Signup WHMCS

Jun 9, 2008

I had recently had an account signup through WHMCS, When I woke up in the Morning the Account was suspended and it alerted me as a Fraud.

What do I do with that Account that is in WHMCS?

View 13 Replies View Related

Setting Up WHMCS/LXAdmin

Apr 16, 2009

I'm a hosting reseller, I used Lxadmin.
I can not connect WHMCS to My Lxadmin module.How to create the WHMCS server setting for LXAdmin?

Nameservers is okay, it's so simple.
I need these values example:

Edit Server
Name : [?]
Hostname: [localhost] or [the real hostname]
IP Address: [The main IP address]
Monthly Cost: [not important]
Datacenter/NOC: [not important]
Maximum No. of Accounts:

Server Details

Type : [Lxadmin]
Username: [My reseller account lxadmin username]
Password: [My reseller account lxadmin password]

Due to point-1 above, I still can not create a new account based on my lxadmin resouce plan.
If no. 1 fixed, what should I fill/choose bellow?

Get from server Get the available choices from the serverResource Plan: [my lxadmin res plan]
DNS Template: [mylxadmin created .dnst] Wev Server:[?]
Mail Server: [?] MySQL Server:[?]
DNS Servers: [ns1.mydomain.tld, ns2.mydomain.tld]

View 0 Replies View Related

Will WHMCS Work With Vps Virtuozzo

Jan 25, 2009

i am wondering does anyone have module that will work with WHMCS to create a vps? If not can someone point me in the right direction, the server is windows server 2003 and it has virtuozzo. if you need anymore information please let me know. And the only reason why i have virtuozzo is because i got offered it for free by theplanet.

View 9 Replies View Related

My WHMCS Is Not Sending Emails

Apr 4, 2009

i have a proeblem regarding my whmcs billing script. It is not sending any kind of emails (welcome emails or support ticket notification mails etc). i even looked in my spam folder of my personal gmail account, as well as other email accounts. The server can send out emails, but not WHMCS. Port 25 also, is not blocked on the server

View 13 Replies View Related

VEPortal WHMCS Module

Sep 23, 2009

Check it out:
[url]

I have nothing to do with it. Just passing it along.

What is veportal?

vePortal is a VPS Commanding total system control Web-Based system that utilizes PHP Hyper-Threading resulting in major acceleration over competing products, As long as your server can meet the recommended system requirements our control panel and your users will never wait for a page to load for longer than the average website.

View 3 Replies View Related

WHMCS Status File

Dec 16, 2008

to place the status file that comes with WHMCS to my servers in a place that can be reached by a browser so that the details will be displayed in WHMCS.

Any ideas where I can put it?

All 3 servers are running CentOS 5.2

View 12 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved