So two weeks ago, there was a hack at WHMCS Services, a modules provider.  As LowEndTalk member @Advin put it in a thread on LET,

A popular WHMCS module provider, WHMCSServices, was recently hacked and modules were uploaded that contained malicious code.

That’s the worst kind of hack.  You buy or update a module from a supposedly trustworthy marketplace, only to find out it’s been subverted.

Several hosts reported being affected.  Community members have received notifications from Cloudie and Quikhost.  Since then, more providers have reported being affected.

What’s the risk?  Really, once you have a module with code of the attacker’s choosing running in your WHMCS, they can do what they want.  Dumping and absconding with your database is popular.

So What Should Providers Do?

First, be very careful of modules you buy.  Understand you’re giving them the “keys to the kingdom”.  If it’s something you need, a security audit would not be a bad idea.

LET veteran @FatGrizzly has a great checklist:

• Changing admin URL, or restricting admin URL by IP
• Use a WAF to block requests to unneeded files.  No one on the Internet needs to be fetching your configuration.php
• Restrict your DB server access to localhost
• Use strong, unique passwords for all accounts (including database)
• Do exposed SSH, PhpAdmin, etc.
• Monitor and review logs
• Use something like Immunify360 to do regular scans
• Take regular backups and test restoring them

(Thanks to @FatGrizzly for some of these suggestions).

Have you been affected?  Any advice?  What happened?  Let us know in the comments below or on LowEndTalk!

raindog308

Raindog308 is a longtime LowEndTalk community administrator, technical writer, and self-described techno polymath. With deep roots in the *nix world, he has a passion for systems both modern and vintage, ranging from Unix, Perl, Python, and Golang to shell scripting and mainframe-era operating systems like MVS. He’s equally comfortable with relational database systems, having spent years working with Oracle, PostgreSQL, and MySQL.

As an avid user of LowEndBox providers, Raindog runs an empire of LEBs, from tiny boxes for VPNs, to mid-sized instances for application hosting, and heavyweight servers for data storage and complex databases. He brings both technical rigor and real-world experience to every piece he writes.

Beyond the command line, Raindog is a lover of German Shepherds, high-quality knives, target shooting, theology, tabletop RPGs, and hiking in deep, quiet forests.

His goal with every article is to help users, from beginners to seasoned sysadmins, get more value, performance, and enjoyment out of their infrastructure.

You can find him daily in the forums at LowEndTalk under the handle @raindog308.