Latest Announcemnent
New thread

WHMCS - Suspicious File Found...

Status
Not open for further replies.
U

UKInternetGroup

Banned
Banned
565
2012
110
0
OK, so i was transferring files from my RDP via one of my sites FTP accounts... which happens to have WHMCS installed on the same account also, Then i spotted a file which i was pretty sure wasn't a normal file, and i hadn't seen it before... So i checked with a friend in the states to see if he had this file and he said no... So basically im wondering if anyone else has happened to come across this file in there whmcs root dir...

File Name: _d41f60d0
Size: 3051

With all this stuff that's been going on with WHMCS these last couple of weeks, Will be interesting to see what comes of this thread...

Note: I renamed the file " _d41f60d0.bak " and it didn't seem to affect the way whmcs ran...

Note: I currently have 3 sites running whmcs (all legit) and only one has the file above...

Look forward to your post's....
 
12 comments
Can you post contents of the file...? without contents is mainly impossible research deeper, because seems a random generated filename, admins can search for that file but perhaps on their boxes exists at another location with another name. If you supply file contents search can be done fast.
 
http://i.imgur.com/LttSs.png

Code: 
{"ef846c5a76d80e53634cbc6b3d453d01":{"time":"MTMzODYyMzc4OA==","value":""},"8d38fb86defd82ab9e6e2cfe03499e58":{"time":"MTMzNzg1MTk5OA==","value":"eyIwIjp7InN0YXR1cyI6IjEifSwiMTQ2Ijp7Imx0ZXh0IjoiYWx0YXZpc3RhIiwibGRlc2MiOiJhbHRhdmlzdGEgbHljb3MgZWJheSBnb29nbGUgd2lraXBlZGlhIG1zbiBhYm91dCBhb2wgeWFob28gYmluZyIsImx1cmwiOiJodHRwOlwvXC93d3cuYWx0YXZpc3RhLmNvbVwvIiwibHR5cGUiOjJ9LCIyNzMiOnsibHRleHQiOiJ3aWtpcGVkaWEiLCJsZGVzYyI6Imdvb2dsZSB3aWtpcGVkaWEgeWFob28gYWx0YXZpc3RhIGx5Y29zIGFib3V0IGViYXkgYmluZyBtc24gYW9sIiwibHVybCI6Imh0dHA6XC9cL3d3dy53aWtpcGVkaWEuY29tXC8iLCJsdHlwZSI6MX0sIjQwMCI6eyJsdGV4dCI6ImViYXkiLCJsZGVzYyI6Imx5Y29zIGFsdGF2aXN0YSBlYmF5IGJpbmcgYW9sIGdvb2dsZSBhYm91dCB3aWtpcGVkaWEgeWFob28gbXNuIiwibHVybCI6Imh0dHA6XC9cL3d3dy5lYmF5LmNvbVwvIiwibHR5cGUiOjJ9LCI1MjciOnsibHRleHQiOiJnb29nbGUiLCJsZGVzYyI6ImJpbmcgbHljb3MgZWJheSBnb29nbGUgYWx0YXZpc3RhIHlhaG9vIHdpa2lwZWRpYSBhYm91dCBtc24gYW9sIiwibHVybCI6Imh0dHA6XC9cL3d3dy5nb29nbGUuY29tXC8iLCJsdHlwZSI6Mn0sIjY1NCI6eyJsdGV4dCI6ImFvbCIsImxkZXNjIjoiYWx0YXZpc3RhIGFib3V0IHlhaG9vIGViYXkgYW9sIHdpa2lwZWRpYSBtc24gbHljb3MgYmluZyBnb29nbGUiLCJsdXJsIjoiaHR0cDpcL1wvd3d3LmFvbC5jb21cLyIsImx0eXBlIjoxfSwiNzgxIjp7Imx0ZXh0Ijoid2lraXBlZGlhIiwibGRlc2MiOiJhbHRhdmlzdGEgbHljb3MgbXNuIGViYXkgYmluZyB3aWtpcGVkaWEgZ29vZ2xlIGFvbCBhYm91dCB5YWhvbyIsImx1cmwiOiJodHRwOlwvXC93d3cud2lraXBlZGlhLmNvbVwvIiwibHR5cGUiOjF9LCI5MDgiOnsibHRleHQiOiJ3aWtpcGVkaWEiLCJsZGVzYyI6Imx5Y29zIGdvb2dsZSBlYmF5IGJpbmcgYWx0YXZpc3RhIG1zbiB3aWtpcGVkaWEgYWJvdXQgYW9sIHlhaG9vIiwibHVybCI6Imh0dHA6XC9cL3d3dy53aWtpcGVkaWEuY29tXC8iLCJsdHlwZSI6MX0sIjEwMzUiOnsibHRleHQiOiJseWNvcyIsImxkZXNjIjoiYWx0YXZpc3RhIHlhaG9vIHdpa2lwZWRpYSBlYmF5IG1zbiBnb29nbGUgYW9sIGx5Y29zIGJpbmcgYWJvdXQiLCJsdXJsIjoiaHR0cDpcL1wvd3d3Lmx5Y29zLmNvbVwvIiwibHR5cGUiOjJ9LCIxMTYyIjp7Imx0ZXh0IjoiYW9sIiwibGRlc2MiOiJhYm91dCBiaW5nIHlhaG9vIGdvb2dsZSBseWNvcyBhbHRhdmlzdGEgbXNuIGViYXkgYW9sIHdpa2lwZWRpYSIsImx1cmwiOiJodHRwOlwvXC93d3cuYW9sLmNvbVwvIiwibHR5cGUiOjF9LCIxMjg5Ijp7Imx0ZXh0IjoiZWJheSIsImxkZXNjIjoibHljb3MgYWJvdXQgeWFob28gZ29vZ2xlIHdpa2lwZWRpYSBhb2wgYmluZyBtc24gYWx0YXZpc3RhIGViYXkiLCJsdXJsIjoiaHR0cDpcL1wvd3d3LmViYXkuY29tXC8iLCJsdHlwZSI6Mn19"},"4a87b14bd6dd0f6a5ea0e6ce747e86c4":{"time":"MTMzODI5Njg5Ng==","value":""},"d13a46cb5bf229be599204dfd3e61d6d":{"time":"MTMzODI5Njg5Mg==","value":""},"97ba631ccf3a9f831bd3117eb0520559":{"time":"MTMzODI5Njg4OQ==","value":""},"da16f12275b73432c7082b4aeeb408fd":{"time":"MTMzODI5Njg4NQ==","value":""},"33f70b2b5037126041598b437d9a9dfa":{"time":"MTMzODI5Njg4MQ==","value":""},"795b2a0cfbb14b8d62580e10a8292b86":{"time":"MTMzODIxOTIwNA==","value":""},"09d51f6da87fa5fc5ec3aee33017900a":{"time":"MTMzODI4MzIxMw==","value":""},"34431fa2453690724537724988cdda1d":{"time":"MTMzODI4MzM0Mw==","value":""},"3877728b20addce4c8d8a33b8a2de83b":{"time":"MTMzODI4MzQyMg==","value":""},"c1f44e05ebe63554384b03b3b2054b4f":{"time":"MTMzODI4MzI2Mw==","value":""},"fa53b946ac42548aa0fa32ddc97edc89":{"time":"MTMzODg2MTUyMw==","value":""},"afe68c33143d6b40788e053c0008632c":{"time":"MTMzODM0NDk3Mg==","value":""},"48f892a206504997b023f26878057b7e":{"time":"MTMzODM1NjQ5NQ==","value":""}}
 
Can you use pastebin or similar to post the code... seems ofuscated code.
The file not have any extension? .php, .cgi or similar.. ?
 
it's just base64 encoded.
and nothing malicious in it :

Code: 
{"0":{"status":"1"},"146":{"ltext":"altavista","ldesc":"altavista lycos ebay google wikipedia msn about aol yahoo bing","lurl":"http:\/\/www.altavista.com\/","ltype":2},"273":{"ltext":"wikipedia","ldesc":"google wikipedia yahoo altavista lycos about ebay bing msn aol","lurl":"http:\/\/www.wikipedia.com\/","ltype":1},"400":{"ltext":"ebay","ldesc":"lycos altavista ebay bing aol google about wikipedia yahoo msn","lurl":"http:\/\/www.ebay.com\/","ltype":2},"527":{"ltext":"google","ldesc":"bing lycos ebay google altavista yahoo wikipedia about msn aol","lurl":"http:\/\/www.google.com\/","ltype":2},"654":{"ltext":"aol","ldesc":"altavista about yahoo ebay aol wikipedia msn lycos bing google","lurl":"http:\/\/www.aol.com\/","ltype":1},"781":{"ltext":"wikipedia","ldesc":"altavista lycos msn ebay bing wikipedia google aol about yahoo","lurl":"http:\/\/www.wikipedia.com\/","ltype":1},"908":{"ltext":"wikipedia","ldesc":"lycos google ebay bing altavista msn wikipedia about aol yahoo","lurl":"http:\/\/www.wikipedia.com\/","ltype":1},"1035":{"ltext":"lycos","ldesc":"altavista yahoo wikipedia ebay msn google aol lycos bing about","lurl":"http:\/\/www.lycos.com\/","ltype":2},"1162":{"ltext":"aol","ldesc":"about bing yahoo google lycos altavista msn ebay aol wikipedia","lurl":"http:\/\/www.aol.com\/","ltype":1},"1289":{"ltext":"ebay","ldesc":"lycos about yahoo google wikipedia aol bing msn altavista ebay","lurl":"http:\/\/www.ebay.com\/","ltype":2}}
 
Yes, it is some kind of malware, the file isn´t complete, hackers seems that couldnt success.
I bet that the code will be inserted as javascript because seems written in JSON.
 
I don't think this has to do with WHMCS setup. If the script was any kind of malware, it's probably a hole in the server.

P.S.: Just wanted to remind you. WHMCS got hacked by social engineering and not any kind of exploit.
 
imo : considering the filename and content it just looks like some hacker tried to exploit a whmcs security hole (or other script than whmcs) for example injecting some code in a form input, then output result of the attack was this crap file.

you'll probably get interesting infos about this crap from reading your server logs :)
 
Qoo said:
I don't think this has to do with WHMCS setup. If the script was any kind of malware, it's probably a hole in the server.

P.S.: Just wanted to remind you. WHMCS got hacked by social engineering and not any kind of exploit.
Click to expand...

The original hack was a social engineered but the 3 after were not their were two exploits found in the whcms script and in their forums which was also hacked


OT: Just delete it and do a virus scan of your server and look through make sure their is nothing else fishy in their also as someone suggested go through all your logs just to see whats been going on
 
Keep your WHMCS fully updated, and be in touch with their latest security patches. Also, use an antivirus like ClamAV to keep your files clean.
 
Status
Not open for further replies.
Back
Top