Whmcs major protection

[XXxxImmortal]

Just thought i would be nice and tell u about a little secret not so many people realize and about 85% of all webhosting companies fail to secure

in ur whm usually /home/ur-username/public_html/site/whmcs/configuration.php is viewable to read

now lets say the servers php functions allows u to view via

Code:

cat /home/ur-username/public_html/site/whmcs/config.php

a person can easily have a shell up and gain mysql access and add a new username to ur whmcs admin and then can easily go to ur admin page and login

now how to secure is this

install whmcs (if you already installed it disregard that)
chmod configuration.php 700 as well as any other configuration files wich may leave your hosting vulnerable to said problem


the other way of doing it is with disable_functions and suphp and cgi safemode ill post screenshots of how to do it with cpanel and whmcs this is mainly for people with there own vps's/dedicated servers

okay login to whm and search for easy apache

Click easy apache

After that click start customizing based on profile click apache 2.2 click next select php5 click next click php 5.2.9/php 5.2.8 click next


now were at the important part
Check the following
Mod SuPHP
IonCube Loader for PHP
EAccelerator for PHP
Mod Bandwidth
Mod Security
Mod Perl
Suhosin for PHP
Zend Optimizer for PHP

then click Exhaustive options

ignore all the other shit its fine ctrl + f in firefox look for

Safe PHP CGI

check it this makes it so you cant inject a new php.ini and over ride current php security configuration

Click save and build, it may take some time depending on the specifications of your server/vps ram/cpu after its all done download puTTy if you dont already have it and ssh to your server (if you need help doing this pm me..) and find your php configuration file (cpanel default: /usr/local/lib/php.ini) type nano /usr/local/lib/php.ini press ctrl + w type in disable_functions

it will jump to a line thats probably like this disable_functions = on the end of that were gona change it to

disable_functions= "symlink,shell_exec,exec,proc_close,proc_open, pope n,system,dl,passthru,escap
eshellarg,escapeshellcmd"



this is VERY VERY VERY basic just to keep people out of your box theres PLENTY of other things you should do but this will work fine

Thanks to pimpnj for stating what to do

[eUKhost.com]

Hi

Your WHMCS will stop working if you set your configuration.php to 700 permission.

644 permission should be fine. One should always keep remote mysql disabled on the server and keep the port 3306 blocked in the CSF firewall. You should never add any remote access host for your mysql database.

Remember to move your templates_c, downloads and attachments directory below your public_html directory. You should rename your admin area to something that one should not be able to guess.

[Rock]

Remember to move your templates_c, downloads and attachments directory below your public_html directory. You should rename your admin area to something that one should not be able to guess.

Similar security related settings are mentioned here, which can be applied to any of WHMCS instance installations, whether Windows or Linux :

http://www.eukhost.com/forums/f15/ho...-windows-7314/

[XXxxImmortal]

One should always keep remote mysql disabled

well i dont do it remotly i usualy upload a c99 shell with a mysql connection inside of it so ur connecting on localhost and not remotly

[eUKhost.com]

well i dont do it remotly i usualy upload a c99 shell with a mysql connection inside of it so ur connecting on localhost and not remotly

You won't manage to upload c99 if mod_security is enabled and vulnerable php modules are disabled in php.ini.

[XXxxImmortal]

lol u wanna bet?


but true if some functions are disabled ok php.ini then ur safe but that still doesnt stop u from mysql

[eUKhost.com]

lol u wanna bet?


but true if some functions are disabled ok php.ini then ur safe but that still doesnt stop u from mysql

what I mentioned in other thread is all that you need to protect your server from c99 upload.

[XXxxImmortal]

unless its encrypted i made a shell c99 that can disable certain php functions once i finish it ill report it to the devlopers of php so they can secure it more ill show u guys a sample once i get in beta

[eUKhost.com]

unless its encrypted i made a shell c99 that can disable certain php functions once i finish it ill report it to the devlopers of php so they can secure it more ill show u guys a sample once i get in beta

okay.

You are most welcome to let me know and I will escalate it to our known contacts in The PHP Group.

[XXxxImmortal]

its not complete yet i have to finish encrypted some of it most webservers have this script that scan for STRINGS inside scripts so i changed all of the names to something like its legit and encrypted this source