This means that there was no actual hacking of our server.
Oh so that all right then.
The weakest part of any network is the 'dumb fucks' in charge of it.
Epic fail
WHMCS, which provides billing and customer support tech to many web hosts, was comprehensively hacked on Monday and remains offline. Hackers tricked WHMCS's own hosting firm into handing over admin credentials to its servers. The group that carried out the hack, UGNazi, subsequently extracted the billing company's database …
Yes, the database was released on twitter which has a list of absolutely everything. This includes:
- credit card numbers
- full name and address
- security questions/answers
- email history (some even include root logins to other web hosts)
- invoice history of each company
- pricing tier of each company
- affiliate history
- password reset reminders
- license keys and who is using those license keys
- admin logs and admin activity logs
And so much more.
Yes when normally the people running the scams crack the software so they don't have to pay for it.
Dump and Run scams are far to wide spread and although annoying I'm not sure how they would know they would be running scams, its more than likely going to affect the smaller webhosts relieing on it to help run their business.
Oh and Fail for leaving decryption key in the open!
Domain name: websitewelcome.com
Administrative Contact:
Whois Privacy Protection Service, Inc.
Whois Agent (ntlfqyxhc@whoisprivacyprotect.com)
+1.4252740657
Fax: +1.4259744730
PMB 368, 14150 NE 20th St - F1
C/O websitewelcome.com
Bellevue, WA 98007
US
I thought only scammers and hackers used PP?
Something doesn't add up in the terminology here: "Card information was salted and hashed". What use is a hashed credit card number, either to Bad Guys or indeed to the service itself? More likely they were symmetrically encrypted and the passphrase stored in the filesystem somehow. That does at least mean that the DB replicating backups are not sensitive in themselves.
The problem of how to protect information in the DB, private keys etc. from a root attacker is always a tricky one. You could demand entry of the passphrase at startup but that prevents unattended restart, and in theory a really determined attacker could get it out of memory if they can get access to the running daemon.
Of course the trick is to avoid getting rooted in the first place... When your hosting provider demands your root password, refuse, quoting this story!