So two weeks ago, there was a hack at WHMCS Services, a modules provider. As LowEndTalk member @Advin put it in a thread on LET,
A popular WHMCS module provider, WHMCSServices, was recently hacked and modules were uploaded that contained malicious code.
That’s the worst kind of hack. You buy or update a module from a supposedly trustworthy marketplace, only to find out it’s been subverted.
Several hosts reported being affected. Community members have received notifications from Cloudie and Quikhost. Since then, more providers have reported being affected.
What’s the risk? Really, once you have a module with code of the attacker’s choosing running in your WHMCS, they can do what they want. Dumping and absconding with your database is popular.
So What Should Providers Do?
First, be very careful of modules you buy. Understand you’re giving them the “keys to the kingdom”. If it’s something you need, a security audit would not be a bad idea.
LET veteran @FatGrizzly has a great checklist:
- Changing admin URL, or restricting admin URL by IP
- Use a WAF to block requests to unneeded files. No one on the Internet needs to be fetching your configuration.php
- Restrict your DB server access to localhost
- Use strong, unique passwords for all accounts (including database)
- Do exposed SSH, PhpAdmin, etc.
- Monitor and review logs
- Use something like Immunify360 to do regular scans
- Take regular backups and test restoring them
(Thanks to @FatGrizzly for some of these suggestions).
Have you been affected? Any advice? What happened? Let us know in the comments below or on LowEndTalk!
Related Posts:
- RackNerd Now Accepting Payments via USDT TRC-20, USDC-TRC20, TRX, BTC, LTC, ETH, and More Across Ethereum (ERC-20), Polygon, Solana, Tron (TRC-20) Networks - April 27, 2024
- Level Up Your Marketing and Social Media with These FREE Courses on Udemy! - April 26, 2024
- FLASH SALE: Cheap cPanel Shared Hosting from eWallHost for $7.97/YEAR! - April 24, 2024
Sad, very sad.