1

Today I tried to access my WHMCS admin but I couldn't. Someone had entered my system, removed my admin and added his own.

I figured out how to protect my admin panel through .htaccess allowing only my IP, and I have undone the changes he made in my system. But it doesn't solve the fact that my system has a vulnerability and someone can exploit it.

This is the hacker activity, can anyone see the exploit logic here?

Hacker activity on my WHMCS installation

Anders
  • 65,052
  • 24
  • 180
  • 218
Artur Haddad
  • 119
  • 2
  • 2
    Possible duplicate of [How do I deal with a compromised server?](http://security.stackexchange.com/questions/39231/how-do-i-deal-with-a-compromised-server) – Matthew Jan 25 '17 at 14:50
  • 4
    He wants to understand how his system was compromised to fix it. He posted an activity log of the hacker, I think it's of good will if we let someone answer it.... – Lucas Bustamante Jan 25 '17 at 14:51
  • 2
    Could be anything - they might have guessed your password, found a flaw in an upload form, found an SQL injection point, or any number of other issues. The key thing is that you can't be sure that you've found all the things they did - you have to treat the server as compromised. – Matthew Jan 25 '17 at 14:52
  • 1
    I see. Thanks for your answer. It indeed makes sense, because it seems the hacker already knew the admin user before getting into the attacks, so it wasn't just brute force... He probably found some breach before that. – Lucas Bustamante Jan 25 '17 at 14:56
  • 2
    "WHMCS" that is your problem. See http://www.anchor.com.au/hosting/development/we_hate_plesk_and_cpanel, http://slugmax.motd.org/cpanel-sucks.html, http://www.xentime.com/blog/cpanel-is-a-gift-for-hacker/, https://www.reddit.com/r/webhosting/comments/tye79/whmcs_hack_goes_from_bad_to_worse/. – André Borie Jan 25 '17 at 14:57

0 Answers0