3 out of 4 members found this post helpful.
Siteul WHMCS a fost atacat. Serverele si bazele de date au fost compromise
Azi am primit un email de la cei de la WHMCS (deoarece am cumparat de la ei mai demult un soft de management al conturilor de gazduire), precum au suferit un atac care le-a compromis serverele si bazele de date.
Mailul suna asa:
Unfortunately today we were the victim of a malicious social engineering attack which has resulted in our server being accessed, and
our database being compromised.
To clarify, this was no hack of the WHMCS software itself, nor a hack of our server. It was through social engineering that the login details were obtained.
As a result of this, we recommend that everybody change any passwords that they have ever used for our client area, or provided via support ticket to us, immediately.
Regrettably as this was our billing system database,
if you pay us by credit card (excluding PayPal) then your card details may also be at risk.
This is just a very brief email to alert you of the situation, as we are currently working very hard to ensure everything is back online & functioning correctly, and I will be writing to you again shortly.
We would like to offer our sincere apologies for any inconvenience caused. We appreciate your support, now more than ever in this challenging time.
Asadar, toti care au cont la WHMCS sunt rugati sa isi schimbe de urgenta parola.
Pe blogul lor sunt unele detalii suplimentare legate de atac si ce date au fost compromise.
What we know for sure
1. Our server was compromised by a malicious user that proceeded to delete all files
2. We have lost new orders placed within the previous 17 hours
3. We have lost any tickets or replies submitted within the previous 17 hours
What may be at risk
1. The database appears to have been accessed
2. WHMCS.com client area passwords are stored in a hash format (as with all WHMCS installations by default) and so are safe
3. Credit card information although encrypted in the database may be at risk
4. Any support ticket content may be at risk - so if you've recently submitted any login details in tickets to us, and have not yet changed them again following resolution of the ticket, we recommend changing them now.
2 out of 2 members found this post helpful.
Discutiile sunt lungi si opiniile sunt multe.
Am dedus (interpretarea e pur personala, s-ar putea sa gresesc) urmatoarele:
- WHMCS era gazduit la HostGator;
- atacatorii au compromis mai intai o adresa de email, pe care au folosit-o apoi sa obtina datele de acces la server;
- odata cu compromiterea adresei (sau a serverului, aici nu mi-e foarte clar), hackerii au compromis si contul de twitter al whmcs;
- de indata ce au ajuns la server, restul e public;
- toate datele insumeaza 1.7GB, fiind prezente acolo si email-urile vehiculate de whmcs;
IMHO, ce a gresit HG ?
- procedura de verificare a proprietarului de servicii e prea simpla (nu ia in calcul decat adresa de email a clientului); un telefon la persoana de contact era suficient
IMHO, ce a gresit WHMCS
- a acceptat riscurile unei companii ieftine precum HostGator; exista datacentere (nu trebuie sa va ganditi la navete spatiale, exemplul poate fi dataplex.hu ) unde autentificarea este foarte riguroasa si implica intotdeauna duble sau triple verificari;
- a folosit (cel mai probabil) o aceeasi adresa de email pentru autentificarea la mai multe servicii;
- aparent nu a tinut cont de avertismentele atacatorilor, care -cica- i-ar fi anuntat in prealabil; asta e doar o declaratie a grupului ugnazi, asa ca nu e musai de luat in considerare
- a stocat datele de card; avand infrastructura ieftina de la HG, nu trebuie sa fii doctor in managementul riscurilor sa-ti dai seama ca asa ceva nu se face; era suficient sa accepte doar plata cu PayPal si impactul era mult mai mic.
- e ciudat (asta e doar o supozitie): daca ai csf instalat, primesti un email la fiecare autentificare ssh si la fiecare sudo. De ce nu a limitat WHMCS accesul ssh doar la anumite adrese IP si de ce nu a fost alertat de accesarea ssh neautorizata ?
Cum am fost afectat ?
- adresa mea persoanal de email e publica. Sa-mi fie invatatura de minte, paranoia e buna pe internet.
Ce putem invata:
- WHMCS in sine e un produs bun; din pacate managementul din jurul lui ii scade valoarea;
- daca un hacker e suficient de motivat, va gasi o cale de a intra chiar si in cele mai bine pazite infrastructuri;
- folositi adrese de email distincte, chiar daca sunt doar alias-uri, pentru fiecare din serviciile unde e nevoie de un email la autentificare;
- urmariti informatia sensibila de la un capat la altul si incercati sa gasiti punctele slabe din lant
===
@metrix1977, nu da cu piatra daca nu esti in cunostinta de cauza
.:|:.
1 out of 1 members found this post helpful.
Are 4 buline rosii, nu te influenteaza deloc, nu vad de ce te-ar deranja aia....In general doar astia cu patratele rosii sunt frustrati si dau inapoi -. Pacat ca le dau degeaba.