Many questions arise from this and from the information provided so far it looks like very little steps were done to prevent such incidents, most important of all – how did his email get accessed in the first place.

It seems like some basic security steps could have prevented this and most importantly, prevented the leak of all the customers details, credit cards, support tickets, internal emails and a whole treasure trove of information from now circulating through-out the internet.

Following an initial investigation I can report that what occurred today was the result of a social engineering attack.

The person was able to impersonate myself with our web hosting company, and provide correct answers to their verification questions. And thereby gain access to our client account with the host, and ultimately change the email and then request a mailing of the access details.

This means that there was no actual hacking of our server. They were ultimately given the access details.

This is obviously a terrible situation, and very unfortunate, but rest assured that this was no issue or vulnerability with the WHMCS software itself.

We are immediately reviewing all of our hosting arrangements, and will be migrating to a new setup at the earliest opportunity.

I would like to take this opportunity to thank all of you who have sent in messages of support, and offers of help. It has clearly been a very stressful time, and I thank everyone both personally and on behalf of WHMCS for their loyalty and support.

The matter is now in the hands of the FBI.

The attackers have posted much more information at their twitter feed: http://twitter.com/#!/UGNazi

So in effort to find the initial cause of this with no real data to work from I had a search around the system for the usual suspects but couldn’t find any particular culprit. Manually inspecting nearly 2 million files was not an option so opted to carry on with the usual setup and enforced posix ACL’s against the apache user and setup some more explicit bandwidth monitoring to obtain data when an attack was occurring.

A few hours later an alert came in that the outbound bandwidth exceeded the threshold so I promptly begin investigating, The process list doesn’t seem to show any obvious usual culprits. After spending a few minutes with iftop and tcpdump I identified the targeted IP and that the traffic was being directed to a DNS server (port 53). I filtered traffic to this IP while investigating the source, as there was no unusual processes I decided to have alook at the apache status and found the GET request containing the destination IP and port (xxx.php?target=xx.xx.xx.xx&port=53).

I got the vhosts path from the httpd.conf and reviewed the file and it looks like a simple php script to perform a UDP flood to the target,

$sock=socket_create(AF_INET,SOCK_DGRAM,SOL_UDP);

if(!$sock) die(“Cant Create Socket!!!”);

$data=”;
for($i=0;$i<1400;$i++)
{
$data.=chr(rand(0,255));
}

while(true)
{
if(!socket_sendto($sock,$data,strlen($data),0,$target,$port)) die(“Error SendTo!!!”);
}

That is a snippet of it. It is very unusual to see these PHP based which is the reason for this blog entry and a definite new addition to the search list.

For those of you interested the customer already had MRTG installed and below is the last week which shows the attack saturating the uplink (100Mbit) when it was occurring but has since been stopped.

After all these years you would think basic password security would be drilled into everyone who uses the Internet, yet time and time again I always come across people who still have not learned the basics.  Really what is so hard about remembering a password that is not text only?  One simple `odd` character in the word would make it a reasonable secure password.  Yet people still do not get the message that adding just one character really makes a difference.

When I see people who get compromised due to passwords it just makes me cringe.  I have yet to understand why they do not learn until someone takes advantage of their weak password.  It happens so often now I even have an example ready now for weak passwords.

You can still have a secure password which is easy to remember, it does not have to be full of random characters, just one or two really does make a difference.

Take my name for example, Scott Mcintyre, that’s 13 characters long and easy to remember all you have to do now is throw a few odd characters in there such as,

Sc0tt`Mcintyr?e

Which is easy to remember, it includes capitals and has a number, and is more than 10 characters.

Do you test you’re passwords?

Now it brought me on to the fact that does anyone actually test their password against dictionaries?  Both users and system administrators should test them regularly and the reaction I get when I guess the passwords is quite strange as if it has never happened before.

System Administrators

I personally only work with *NIX and test passwords atleast once a week on every single server with user accounts I manage.  On one time work the successrate for more than 100 passwords is generally 1-10%, however today I did get a 58% success-rate which sparked this entry.

As a *NIX administrator I feel it’s my job to ensure peoples passwords are updated also, I often use tools like John The Ripper against the /etc/shadow file to acheive this.  You may view my guide /etc/shadow password testing if you are unsure how to this.

End Users

End users should not have to test their passwords and should be using a password that gives them 100% reassurance.  Ultimately if you feel the need to check you’re password against dictionaries then you’re password is not good enough.

Multiple Locations

Do you use you’re password in multiple locations?  If so why? While it might be easy to remember it always leads to problems if by the off chance you’re password was ever compromised.  I feel this form of basic password security is the one that is the one that is not taken seriously the most.  I used to do it myself however have since realized it was bad just because of the number of people I have been bad things happen to.  There are methods of keeping you’re same password principal yet not using the same password. Take our above example,

Sc0tt`Mcintyr?e

You could change the position of the question mark for each different location, such as you’re instant messenger password could be S?c0tt`Mcintyre and you’re email could be Sc?0tt`Mcintyre, this is just different variations yet it keeps you’re password simple to remember.

Changing passwords

Do you change you’re password after a certain period?  This is generally a good idea if you use the same password in multiple locations.  Personally I do change my passwords around once every 3-4 months.  I do it so I can remember them easier, newer passwords will stay fresh in the mind whilst older passwords can be forgotten and confused with others.

Conclusion

As it seems I have joined the list of thousands, possible millions, of other articles/rants about password security but I think it has to be said that it’s quite shocking the number of people that totally ignore the basic concept.

Some big music corporation sites have been defaced both sonymusicstudios.co.uk and warnermusic.com.tw.

Could this be a result of ThePirateBay going down recently? Could it be a coincidence, I think not.  It makes me wonder what will happen in the next few weeks because I suspect there will be a waive of these type of defacements.

One comment states,

“Just wait for the defacements tomorrow is all I can say.. (PRQ/TPB aren’t to be taken lightly when it comes to defacement support..)”

Which does indicate we should expect to see more of this in the coming days.

I wonder how both Sony and Warner Music will respond to these attacks.