WHMCS website and twitter Hacked and Data Leaked by UGNazi

Hackers group UGNazi hacked WHMCS.com today and leak the complete database, root files and the control panel files. WHMCS is one of the most know panel for billing and support solution for online businesses.

All files have been made available to download through a text file in pastebin. http://pastebin.com/tttTntmf. The total size of he full .rar file is over 1.7GB.

Anyone who try to access their website yesterday was redirected to ugnzi.com.
curl http://www.whmcs.com
DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://www.ugnazi.com/">here</a>.</p>
<hr>
<address>Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/1.0.0g DAV/2 mod_bwlimited/1.4 mod_perl/2.0.5 Perl/v5.8.8 Server at www.whmcs.com Port 80</address>
</body></html>


The data leaked included over 500, 000 compromised customers emails and ips and even credit cards.

On top of this  the twitter account of WHMCS was also hacked and post several tweets, explaining also the reasons for the hack.

 The reason for the hack as stated above is because WHMCS ignore the complains and warnings on websites that use WHMCS for scams.

Th official statement from the company’s blog

What we know for sure

1. Our server was compromised by a malicious user that proceeded to delete all files
2. We have lost new orders placed within the previous 17 hours
3. We have lost any tickets or replies submitted within the previous 17 hours

What may be at risk

1. The database appears to have been accessed
2. WHMCS.com client area passwords are stored in a hash format (as with all WHMCS installations by default) and so are safe
3. Credit card information although encrypted in the database may be at risk
4. Any support ticket content may be at risk – so if you’ve recently submitted any login details in tickets to us, and have not yet changed them again following resolution of the ticket, we recommend changing them now.

Update:

An official statement released from the hackers group explaining further the reasons for the hack

The reason for the hack and database leak of the WHMCS was due to the vulnerability WHMCS and “Matt” have. As most of you know the database contains credit cards, Really? Yup. WHMCS, the number 1 Web Hosting Client management company stores your credit card on Hostgator’s servers. By Matt hosting this huge domain on Hostgator he made himself and his domain very insecure and that is why we took action and did what we did. It is now 2 days after the attack from us and the site is back up and it still remains on Hostgator after Matt knows it is insecure. Well Matt, guess what… Here at UGNazi We laugh at your security. By releasing your files, we wanted to make it known that we are watching; and will continue to be watching. Stay Frosty.

Update 2: More info on WHMCS hack via the official WHMCS blog

Wednesday 23rd
> DDOS attack to main server continues
> DDOS Attack starts towards forum
> Forums are attacked – posts edited. vBulletin used as a point of entry. The forums, the documentation, and the blog are all hosted on a different server, entirely separate from our primary server. So this poses no new risk to our main client database. This issue is ongoing.

Unfortunately credit card details were taken, and we do urge any clients who feel their credit card might have been included in this to take appropriate steps to secure their card. Further investigations have shown that the social engineering attack did not involve the compromising of any email account. This was only done after access to the server had been gained.

We’ve been working very hard with our web hosting provider to restore and secure services. The DDOS mitigation continues to be ongoing and we are doing everything we can to limit the impact of this.

Our main priority until now has been getting our main site back online, secured, and operational, so that we could bring our WHMCS installation back online to open up a route of communication to you, our users, and start dealing with any questions and concerns as quickly as possible.

As soon as we have things completely back under control, we will be reviewing all our systems and operating procedures, and making changes as and where appropriate. Steps are already in progress to migrate to a new hosting infrastructure as a first priority. This will likely mean some brief downtime in the coming hours.

As I’m sure you can imagine, we are currently receiving a very large number of support tickets and enquiries, and we’re doing all we can to answer them as quickly as possible. Your continued patience & support in these testing times is greatly appreciated.

The whole WHMCS team has been working extremely hard, and I’d like to take this opportunity to thank them as well for all their efforts in the past 36 hours.

— Our Twitter Account remains out of our control. Does anybody know of any way to contact them or get any assistance from their side to regain control? We have got no response to our requests to them in over 36 hours now

Leave a Reply