Yeah, I'm the root of the evil! Poor Spencer was just a minion.Don't try to blame Spencer. I read in the cestpit it was ALL YOUR FAULT!
GreenValueHost forced password reset - Security breach?
- Thread starter MannDude
- Start date
- Status
hellogoodbye
New Member
Sorry about that!
Either way, I'm looking forward to hearing an official explanation on the matter, especially after they initially placed the blame on an out-of-control cronjob. Since the comment about them making an official statement "soon" was made over six hours ago, I hope it won't be too long now.
Either way, I'm looking forward to hearing an official explanation on the matter, especially after they initially placed the blame on an out-of-control cronjob. Since the comment about them making an official statement "soon" was made over six hours ago, I hope it won't be too long now.
DomainBop
Dormant VPSB Pathogen
What data breach? We're here to discuss WHMCS's bad coding and the out of control cron job!.Let's keep this on topic if possible and discuss the likely GVH security breach. Thanks.
If there had been a data breach (which there wasn't because Jon said so), then Jon would need to notify all of his customers and follow the notification procedures that 46 states have in place. If there had been a breach (which there wasn't) then Jon would be wise to read the information on these 2 links: http://www.perkinscoie.com/statebreachchart/ and http://usa.visa.com/download/merchants/cisp_responding_to_a_data_breach.pdf
jarland
The ocean is digital
Dear lord...
https://copy.com/ulZUpFl1nzxpM3U3
That's only about half of them too. If their host had a certain mascot in Florida I'd tell them what happened in 3 minutes
https://copy.com/ulZUpFl1nzxpM3U3
That's only about half of them too. If their host had a certain mascot in Florida I'd tell them what happened in 3 minutes
Last edited by a moderator:
drmike
100% Tier-1 Gogent
So delving slightly off topic here...
There was a WHMCS link posted to IRC earlier. Rogue-Oktay posted and asked people to ping it... Some did/looked and bunch of background crap happened. Growl.
cron.php
To those of you familiar with such / with installs... Can you access this file from remote locations? Require credentials in generic install?
WTF is that file normally?
There was a WHMCS link posted to IRC earlier. Rogue-Oktay posted and asked people to ping it... Some did/looked and bunch of background crap happened. Growl.
cron.php
To those of you familiar with such / with installs... Can you access this file from remote locations? Require credentials in generic install?
WTF is that file normally?
Nah, I thought that was the thing that triggered the mails and posted the link. It seemed the file was locked out of public access already.
http://pastebin.com/tjkjws2q
Later will have a better code
Edit: this is from whmcs 5.2.10 decoded but still code is similar to latest one ones like 5.3.*: https://raw.githubusercontent.com/kiddo90/whmcs_5.2.10_decoded_nulled_mtimer/master/admin/cron.php
Edit 2: after analyzing the cron.php code I would like to say that there is nothing what could make a password reset at all.
If somebody had an admin account it's possible to reset password with api like this:
1) Update client password http://docs.whmcs.com/API:Update_Client
2) Send email with custom email template (it does support custom variables and etc) http://docs.whmcs.com/API:Send_Email#Example_with_Predefined_Email_Template
Last edited by a moderator:
Aldryic C'boas
The Pony
Cron.php is an ioncube'd file that contains WHMCS 'daily chores'. Calculating totals, invoice generation, email notifications (for invoices, etc) - pretty much most of your automated tasks.
It can be accessed 'remotely' if the admin is less-than-competent, and doesn't secure his install. However, the cron.php file itself does not take any arguements or POST data - it's not really susceptible to injection or true malicious use by itself. But, the file is intended to be accessed once a day. If it's publicly accessible, and it gets spammed, and someone has a due invoice - that someone will receive a new 'invoice overdue' email each time it gets hit.
By itself, really the worst you can do is troll a company that doesn't know how to properly secure WHMCS. I elaborated earlier on why blaming the cron for the password resets was utter BS.
So it's definitely related to Cron - > Hooks.
Code:
$cron->logActivity("Completed");
$cron->emailReport();
run_hook("DailyCronJob", array());
$cron->log("Cron Job Hooks Run...");
if ($cron->isScheduled("backups")) {hellogoodbye
New Member
If it's this obvious that a couple of suspicious IPs were behind the WHMCS tinkering, why did they initially explain it away as a WHMCS bug?
drmike
100% Tier-1 Gogent
WHMCS was contacted this morning and basically hasn't a clue. Unsure what we are collectively looking at. My guess would be injected WHMCS install - as in something injected rogue. Script or config... But that's 100% speculation on my part.
I got those captures directly from GVH administrators.
If they didn't use any hooks and checked the logs that no files has been uploaded - then gvh is safe (not hacked) I think.
What comes to mind is to submit password reset like a real user (automated) and at the same visit cron url - the reason is to simply hide that client database of one of providers was used.
Http logs will make it clear.
I would like to say that on older version of whmcs there were simply password reset on request, no verification for the link is needed. If they were updating their whmcs step by step (version by version) then there is a big chance like 99% that it was still the same even having latest whmcs.
Last edited by a moderator:
- Status