Hmmm...I think having a dev instance is only allowed with a purchased WHMCS license (as opposed to leased). I guess I wouldn't be surprised if GVH leases WHMCS.
GreenValueHost forced password reset - Security breach?
- Thread starter MannDude
- Start date
- Status
Aldryic C'boas
The Pony
Not unless that's a newish rule? I've had a dev license for years, and we've only owned our WHMCS license for the past.. maybe 15-20 months?
EDIT: Pretty sure the catch is they'll only provide support if you keep your owned license renewed - leased licenses are pretty much good to go.
Last edited by a moderator:
@aldryic I had done my own password resets at gvh earlier today and it did not require a second step or clicking a link. To change the password only required you to input an email address and click the reset password link. You would than get an email containing you your new password. However I just notice something very interesting. At the end of the slew of password resets was the final one which DID require clicking a link. So it looks like they were updating things on their end. The only thing that worries my is my initial password having "fu u cnt" in it. Maybe the guys at gvh thing this is funny, or maybe there was some compromise earlier.
I wonder if someone:
1. took a list of emails from some provider's previous leak (e.g., CVPS database)
2. wrote a script to request a password reset for each email from GVH
3. let it run endlessly
In which case it'd be easy for a competent admin to identify where all the resets are coming from and block...
1. took a list of emails from some provider's previous leak (e.g., CVPS database)
2. wrote a script to request a password reset for each email from GVH
3. let it run endlessly
In which case it'd be easy for a competent admin to identify where all the resets are coming from and block...
Last edited by a moderator:
i didn't look at the emails close enough.....
1:02 am password in email
moving to PM....
1:02 pm password in email
1:04 requires a link
1:05 password in email
1:06 password in email
1:06 password in email
1:07 password in email
1:08 password in email
1:09 password in email
1:11 requires a link
During this time i am almost certain I requested two passwords resets myself, which would probably be the 1:04 and 1:11.
1:02 am password in email
moving to PM....
1:02 pm password in email
1:04 requires a link
1:05 password in email
1:06 password in email
1:06 password in email
1:07 password in email
1:08 password in email
1:09 password in email
1:11 requires a link
During this time i am almost certain I requested two passwords resets myself, which would probably be the 1:04 and 1:11.
Aldryic C'boas
The Pony
That's... rather frightening when you stop to think about it. WHMCS has included password verification (the two-email process) for quite some time - and unless I'm blind, there's not an option to disable. Which makes me wonder just how *old* their WHMCS install was.
That was my first thought.. but I haven't found an option to disable the verification emails for password resets. Meanwhile, an admin issuing the reset by hand automatically generates the new pass and sends the email.
Aldryic C'boas
The Pony
Aah, that makes more sense. But, still means that someone gained access to an admin account, and was having a gaye old time with it.
What's truly disturbing is how long it's gone on without them having the sense to track down the issue, or even block public access to prevent further damage.
I don't know how many clients they have, but i can't imagine someone (an admin) being able to go through the list of all their clients and manually click on the "reset & set password" link for each client, all this in a minute or so. Must have been scripted / automated.
Last edited by a moderator:
I just talked to Jon, their sysadmin blocked off whmcs admin to prevent anymore resets. I personally was tired of getting spammed with password emails
.
Aldryic C'boas
The Pony
Depends on how many clients they actually have (that group is known to exaggerate figures), and whether or not it was actually a 'mass' reset as opposed to just spamming a bunch of random clients' reset links.
they whmc is still accessible.I just talked to Jon, their sysadmin blocked off whmcs admin to prevent anymore resets. I personally was tired of getting spammed with password emails
Their WHMCS is, their admin path is not.
Aldryic C'boas
The Pony
Which pretty much confirms that they know it was someone running around with a compromised admin account. If they truly thought it was a bug in WHMCS, they would either throw maintenance mode, or lock the entire site down.
DomainBop
Dormant VPSB Pathogen
They need to hire someone competent to deal with the issue. Jon doesn't have the necessary skills to deal with a security breach and I don't have much confidence in his new 'VP of Ops' (granted my judgement of the new VP might be clouded by the "DCMA" [sic] graphic on his site)
Aldryic C'boas
The Pony
If you have to give someone a title like 'VP', you already know they're worthless for real work.
Their VP of Ops is a very talented admin, however who it is is confidential unfortunately. Just know you are in good hands!
Aldryic C'boas
The Pony
"We're letting someone new poke around our systems and view all of your data. We can't tell you who it is, though."
Probably the same guy who was sending password resets. Admin path is on WHMCS default also.
See if you're going to throw cloak and dagger crap around, don't bother posting. Either give the information out or say nothing. All you're doing is making yourself look incompetent because no decent admin would put that kind of pish on their own website.
DomainBop
Dormant VPSB Pathogen
It can't be too confidential since "VP of Operations GreenValueHost" is posted on his LinkedIn profile for everyone to see (see the link I posted on the first page of this thread ).
- Status