So two weeks ago, there was a hack at WHMCS Services, a modules provider.  As LowEndTalk member @Advin put it in a thread on LET,

A popular WHMCS module provider, WHMCSServices, was recently hacked and modules were uploaded that contained malicious code.

That’s the worst kind of hack.  You buy or update a module from a supposedly trustworthy marketplace, only to find out it’s been subverted.

Several hosts reported being affected.  Community members have received notifications from Cloudie and Quikhost.  Since then, more providers have reported being affected.

What’s the risk?  Really, once you have a module with code of the attacker’s choosing running in your WHMCS, they can do what they want.  Dumping and absconding with your database is popular.

So What Should Providers Do?

First, be very careful of modules you buy.  Understand you’re giving them the “keys to the kingdom”.  If it’s something you need, a security audit would not be a bad idea.

LET veteran @FatGrizzly has a great checklist:

• Changing admin URL, or restricting admin URL by IP
• Use a WAF to block requests to unneeded files.  No one on the Internet needs to be fetching your configuration.php
• Restrict your DB server access to localhost
• Use strong, unique passwords for all accounts (including database)
• Do exposed SSH, PhpAdmin, etc.
• Monitor and review logs
• Use something like Immunify360 to do regular scans
• Take regular backups and test restoring them

(Thanks to @FatGrizzly for some of these suggestions).

Have you been affected?  Any advice?  What happened?  Let us know in the comments below or on LowEndTalk!

• Author
• Recent Posts

raindog308

Dread Lord of LowEnd Content at LowEndBox

I'm raindog308, techno polymath and long-time LowEndTalk community Administrator. My technical interests include all things Unix, perl, python, golang, shell scripting, vintage operating systems such as MVS, and relational database systems such as Oracle, PostgreSQL, and MySQL.

I also enjoy using LEBs! I have an empire of little guys for VPNs, larger guys for apps, and big guys for databases and storage. When I'm not in front a screen I'm into German Shepherd dogs, quality knives, target shooting, theology, tabletop roleplaying games, and forest hiking.

I enjoy writing technical articles here on LowEndBox to help people get more out of their systems. You can find me on LowEndTalk @raindog308

Latest posts by raindog308 (see all)

• Dropbear in 2025: Still the LowEnd SSH Server of Choice? - January 20, 2025
• “OMG! I Never Knew That!”: The Simply Linux Tip That Has Got Me More Thanks Than Anything I’ve Ever Shared in 30+ Years - January 19, 2025
• Bluesky has Flopped: How Mashable is Lying To You - January 18, 2025