So two weeks ago, there was a hack at WHMCS Services, a modules provider. As LowEndTalk member @Advin put it in a thread on LET,
A popular WHMCS module provider, WHMCSServices, was recently hacked and modules were uploaded that contained malicious code.
That’s the worst kind of hack. You buy or update a module from a supposedly trustworthy marketplace, only to find out it’s been subverted.
Several hosts reported being affected. Community members have received notifications from Cloudie and Quikhost. Since then, more providers have reported being affected.
What’s the risk? Really, once you have a module with code of the attacker’s choosing running in your WHMCS, they can do what they want. Dumping and absconding with your database is popular.
So What Should Providers Do?
First, be very careful of modules you buy. Understand you’re giving them the “keys to the kingdom”. If it’s something you need, a security audit would not be a bad idea.
LET veteran @FatGrizzly has a great checklist:
- Changing admin URL, or restricting admin URL by IP
- Use a WAF to block requests to unneeded files. No one on the Internet needs to be fetching your configuration.php
- Restrict your DB server access to localhost
- Use strong, unique passwords for all accounts (including database)
- Do exposed SSH, PhpAdmin, etc.
- Monitor and review logs
- Use something like Immunify360 to do regular scans
- Take regular backups and test restoring them
(Thanks to @FatGrizzly for some of these suggestions).
Have you been affected? Any advice? What happened? Let us know in the comments below or on LowEndTalk!
Related Posts:
- LowEndBoxTV: Free Power Toys for Your Linux Server! - October 4, 2024
- Happy Halloween from MangoMail!Get 3 Months FREE Email Hosting on New Signups! - October 3, 2024
- LowEndBoxTV: Stop Losing Your WordPress Data! Backup Your WordPress Easily for FREE! - October 2, 2024
Sad, very sad.