LowEndBox - Cheap VPS, Hosting and Dedicated Server Deals

Providers Under Attack! WHMCS Modules Meltdown!

WHMCS in FlamesSo two weeks ago, there was a hack at WHMCS Services, a modules provider.  As LowEndTalk member @Advin put it in a thread on LET,

A popular WHMCS module provider, WHMCSServices, was recently hacked and modules were uploaded that contained malicious code.

That’s the worst kind of hack.  You buy or update a module from a supposedly trustworthy marketplace, only to find out it’s been subverted.

Several hosts reported being affected.  Community members have received notifications from Cloudie and Quikhost.  Since then, more providers have reported being affected.

What’s the risk?  Really, once you have a module with code of the attacker’s choosing running in your WHMCS, they can do what they want.  Dumping and absconding with your database is popular.

So What Should Providers Do?

First, be very careful of modules you buy.  Understand you’re giving them the “keys to the kingdom”.  If it’s something you need, a security audit would not be a bad idea.

LET veteran @FatGrizzly has a great checklist:

  • Changing admin URL, or restricting admin URL by IP
  • Use a WAF to block requests to unneeded files.  No one on the Internet needs to be fetching your configuration.php
  • Restrict your DB server access to localhost
  • Use strong, unique passwords for all accounts (including database)
  • Do exposed SSH, PhpAdmin, etc.
  • Monitor and review logs
  • Use something like Immunify360 to do regular scans
  • Take regular backups and test restoring them

(Thanks to @FatGrizzly for some of these suggestions).

Have you been affected?  Any advice?  What happened?  Let us know in the comments below or on LowEndTalk!


1 Comment

  1. treesmokah:

    Sad, very sad.

    December 31, 2023 @ 10:28 pm | Reply

Leave a Reply

Some notes on commenting on LowEndBox:

  • Do not use LowEndBox for support issues. Go to your hosting provider and issue a ticket there. Coming here saying "my VPS is down, what do I do?!" will only have your comments removed.
  • Akismet is used for spam detection. Some comments may be held temporarily for manual approval.
  • Use <pre>...</pre> to quote the output from your terminal/console, or consider using a pastebin service.

Your email address will not be published. Required fields are marked *