# Potential BlueVM WHMCS Breach



## peterw (Jun 27, 2013)

> Good morning,
> 
> Earlier this morning we were informed that a potential breach of our WHMCS may have exposed user details and passwords. As such we are taking preemptive action in the event that this is even remotely true.
> 
> ...


Source


----------



## MannDude (Jun 27, 2013)

I don't think any data was leaked from what I have heard. But interested in hearing more.

EDIT: 14,000th vpsBoard post


----------



## peterw (Jun 27, 2013)

MannDude said:


> EDIT: 14,000th vpsBoard post


Where are the balloons and the confetti?


----------



## ChrisM (Jun 27, 2013)

peterw said:


> Where are the balloons and the confetti?


----------



## MannDude (Jun 27, 2013)

Ok, back on topic though. Curious to learn more about the potential breach. BlueVM frequents here so I'm sure we'll get an update soon.


----------



## Marc M. (Jun 27, 2013)

Kudos to *@**BlueVM* for transparency   and for how he handled everything.


----------



## peterw (Jun 27, 2013)

Looks like https://twitter.com/TwoDayExploit and https://twitter.com/YouAreBangTidy play games. Second one does not like BlueVM.


----------



## BradND (Jun 27, 2013)

Ouch anymore information on this?


----------



## wlanboy (Jun 27, 2013)

Did not get any email.

Why posting this on LET but not as an announcement to their customers?


----------



## mikho (Jun 27, 2013)

wlanboy said:


> Did not get any email.
> 
> 
> Why posting this on LET but not as an announcement to their customers?


Me neither, posting it on LET only is like telling the world that LET is their new helpdesk/anouncement board.


It's a small world but not that small.


----------



## Magiobiwan (Jun 27, 2013)

Well, we'd taken down WHMCS, making it somewhat hard to send a mass-email out.


----------



## mikho (Jun 27, 2013)

Magiobiwan said:


> Well, we'd taken down WHMCS, making it somewhat hard to send a mass-email out.


I'm sorry but thats a pretty lame excuse. There are ways to get the customers information directly from the database or just blocking external access to the WHMCS installation. I can understand that the first thing to do is to "kill" all access to it, second thing to do is to start looking. At this stage you have access to all the information to make a public announcement, like sending an email to your customers. Especially when it comes to asking your customers to change passwords on their vps. 

If the Solus hack hadn't happened last week, I would probably not know about it until this thread was made since I rarely visit LET (more now after the hacks).


Was there a post on facebook or twitter about this? Did you post that information somewhere else then on LET?


Read this as constructive feedback, I'm not mad, perhaps a bit upset but not mad and I hope that next time will be better.


----------



## Aldryic C'boas (Jun 27, 2013)

Magiobiwan said:


> Well, we'd taken down WHMCS, making it somewhat hard to send a mass-email out.


Wouldn't it make more sense to simply ACL your WHMCS directory, so that your admins could still touch on open tickets (and use the mass mail function)?


----------



## peterw (Jun 28, 2013)

What attack vector was used? WHMCS itself?


----------



## wlanboy (Jun 29, 2013)

They just stated that they think that something happend.

Maybe php responses with a lot of data or calls of scripts that should not be able be called by everyone.

Thumbs-up that they published it.


----------



## HalfEatenPie (Jun 29, 2013)

There was an individual who claimed that BlueVM's WHMCS database was compromised.  Initially they took down their installation of WHMCS and SolusVM.  Upon further investigation their WHMCS installation was not compromised and the "hacker" never delivered on their threat. 

*tl;dr:* The "attacker" was full of hot air.  



Aldryic C said:


> Wouldn't it make more sense to simply ACL your WHMCS directory, so that your admins could still touch on open tickets (and use the mass mail function)?


 

Or you know...  temporarily only allow IPs that are whitelisted via iptables to access WHMCS installation?


----------



## Magiobiwan (Jun 29, 2013)

We'll be releasing a statement about this soon (as soon as Justin has time to type it up. He's busy with other things right now that are a little bit higher priority). Short form is this though: We weren't actually compromised. There is no dump (except for the ones WE took immediately after seeing the tweet). Again, official release to follow soon.


----------



## BradND (Jun 29, 2013)

Magiobiwan said:


> He's busy with other things right now that are a little bit higher priority


Not sure if serious or trolling...

How can anything be more important than your whmcs install? You still haven't updated customers either.


----------



## Magiobiwan (Jun 29, 2013)

Well, he has family stuff going on. Somewhat important family stuff. Again, I'm trying to see when ee'll have a statement ready for distribution.


----------



## BlueVM (Jun 29, 2013)

I apologize for my delay in making this statement. This incident could not have happened at a worse time. My move from Hawaii to Colorado began this week and as part of that I had to pack up everything in my house, file a ton of paperwork, ship my car (military shipment), etc... As part of that I'm writing this from an entirely empty house as I wait until Monday to finalize the paperwork I need to get out of the military.

My staff discovered a tweet from TwoDayExploit on the 25th of June. The tweet stated that TwoDayExploit had dumped our WHMCS database and would release the passwords and data shortly. Around the same time a large outflow of data was detected by our monitoring system setup. It was at that time we decided to take the entire VPS responsible for our billing system offline (along with hypervm) to run through the logs and detect exactly what had happened. We posted the message on LET (VPS Board was down at the time) and on our twitter feeds. I had intended to issue everyone an email about it, but my circumstances called me away to handle my move. My staff picked up the torch and continued to scan through the logs and check for any possible breach.

Around the time of the Twitter post someone uploaded a png image to our service as part of a ticket consisting of 1 MB of raw randomized text (no actual image). They then proceeded to load up that "image" from our site several hundred times, making the data flow outbound appear abnormally high until we took down our WHMCS installation. A review of the logs showed the image being loaded up and confirmed our hypothesis: *There was no breach*. As such we restarted the system and felt that it was unnecessary to email everyone about the incident due to the fact that we had already confirmed it fake. We appreciate everyone's support during this time and once again I apologize for the lack of communication on my end.


----------



## shovenose (Jun 29, 2013)

BlueVM said:


> get out of the military.


Are you happy about that? Just curious.


----------



## wlanboy (Jun 29, 2013)

BlueVM said:


> There was no breach.


Good to hear.

Good luck with the move.


----------



## shawn_ky (Jun 29, 2013)

Great to know!! Good luck with getting out and thank you for your service!


----------



## BlueVM (Jun 30, 2013)

shovenose said:


> Are you happy about that? Just curious.


It's a mixed set of feelings. I enjoyed serving my country, but it's not what I want to do with my life. I'd much rather be helping people with their LEBs than maintain all of the hardware they put me in charge all the time. Litterally my entire military career consisted of me taking on everyone elses work because I actively knew something about it and they didn't. (Words of advice: Don't join the military with a skill set, they'll use your skills a lot.)

@wlanboy, @shawn_ky - Thanks.


----------

