Looks like DigiRDP got hacked based on the WHCMS theme exploit
We regret to inform you that a security breach has occurred within our systems. It has come to our attention that unauthorized access to our MySQL dump has transpired, potentially compromising sensitive information. Following our investigation, it has been determined that the breach was facilitated by a vulnerability within the Lagom theme that we were using.
As a precautionary measure, we are urging all users to promptly change their Digirdp client area and VPS/RDP passwords. This action is crucial to safeguard your account and ensure the security of your data.
To effectuate this change, please follow these steps:
Log in to your Digirdp client area immediately.
Navigate to the account settings or security section.
Change your password to a strong, unique one that you haven't used elsewhere.
For VPS/RDP passwords, navigate to Services, open each active service, scroll down to settings, and proceed to change the password.
We advise against using easily guessable passwords and encourage the utilization of a password manager to generate and securely store complex passwords.
In tandem with this action, we are undertaking a comprehensive review of our systems and instituting additional security measures to mitigate the likelihood of similar incidents in the future.
We sincerely apologize for any inconvenience this may cause you and want to assure you that we are treating this matter with the utmost seriousness. The security and privacy of our users' information are of paramount importance to us.
Should you have any questions or concerns regarding this security breach or the necessary steps to be taken, please do not hesitate to contact our support team at [email protected].
Thank you for your prompt attention to this matter.
@sh97 said:
Looks like DigiRDP got hacked based on the WHCMS theme exploit
We regret to inform you that a security breach has occurred within our systems. It has come to our attention that unauthorized access to our MySQL dump has transpired, potentially compromising sensitive information. Following our investigation, it has been determined that the breach was facilitated by a vulnerability within the Lagom theme that we were using.
I was going to post that, glad you did it first. Indeed cest pit is a good pit stop before the Mods decide if a dedicated thread is required.
@RachelMcAdams said:
Am I seeing a recent trend of hosts getting breached through WHCMS itself?
These breaches are happening purely due to addons/themes. DigiRDP used Lagom for WHMCS which is confirmed to have a security vulnerability. It's a popular theme across the hosting industry.
I have personally been able to reproduce the same exploit in a test environment with an unpatched version of Lagom. It's an extremely simple exploit that allows anyone to upload basically any file.
The best way to prevent such an exploit (without knowing about it) would be to install a WAF. The problem with this exploit and the last exploit with the HostX/ClientX theme somewhat stems from the fact that you can upload PHP files in some way. Using Cloudflare Pro (not free) WAF automatically detects PHP content in the POST request, which blocks both of these exploits from occurring, at least from what I could tell. I'm sure that there are other firewalls out there that perform similar functionality, like BitNinja. If anyone does go with the Cloudflare Pro route, make absolute sure that every request has to go through the WAF.
I was unable to replicate the same exploit with Cloudflare Pro.
@Advin said:
I have personally been able to reproduce the same exploit in a test environment with an unpatched version of Lagom. It's an extremely simple exploit that allows anyone to upload basically any file.
The best way to prevent such an exploit (without knowing about it) would be to install a WAF. The problem with this exploit and the last exploit with the HostX/ClientX theme somewhat stems from the fact that you can upload PHP files in some way. Using Cloudflare Pro (not free) WAF automatically detects PHP content in the POST request, which blocks both of these exploits from occurring, at least from what I could tell. I'm sure that there are other firewalls out there that perform similar functionality, like BitNinja. If anyone does go with the Cloudflare Pro route, make absolute sure that every request has to go through the WAF.
I was unable to replicate the same exploit with Cloudflare Pro.
The theme source code is not publicly available so it's hard for the general public to verify themselves (which is probably a good thing). There seems to be no CVE tracking this issue isn't it?
That said, getting pwned by unrestricted file upload in the [redacted] functionality is an incredibly rookie mistake.
System
Administrator
Comments
Looks like DigiRDP got hacked based on the WHCMS theme exploit
The Ultimate Speedtest Script | Get Instant Alerts on new LES/LET deals | Cheap VPS Deals
FREE KVM VPS - FreeVPS.org | FREE LXC VPS - MicroLXC
I was going to post that, glad you did it first. Indeed cest pit is a good pit stop before the Mods decide if a dedicated thread is required.
Squats are the new Push-ups
Am I seeing a recent trend of hosts getting breached through WHCMS itself?
@DigiRDP @balramm
ServerFactory aff best VPS; HostBrr aff best storage.
These breaches are happening purely due to addons/themes. DigiRDP used Lagom for WHMCS which is confirmed to have a security vulnerability. It's a popular theme across the hosting industry.
I am a representative of Advin Servers
I have personally been able to reproduce the same exploit in a test environment with an unpatched version of Lagom. It's an extremely simple exploit that allows anyone to upload basically any file.
The best way to prevent such an exploit (without knowing about it) would be to install a WAF. The problem with this exploit and the last exploit with the HostX/ClientX theme somewhat stems from the fact that you can upload PHP files in some way. Using Cloudflare Pro (not free) WAF automatically detects PHP content in the POST request, which blocks both of these exploits from occurring, at least from what I could tell. I'm sure that there are other firewalls out there that perform similar functionality, like BitNinja. If anyone does go with the Cloudflare Pro route, make absolute sure that every request has to go through the WAF.
I was unable to replicate the same exploit with Cloudflare Pro.
I am a representative of Advin Servers
Mentally strong people write own website using compiled language.
Upload PHP all you want but they don't execute.
ServerFactory aff best VPS; HostBrr aff best storage.
Bro got fancy RCE due to poor memory management
🇵🇱 KVM VPS | LG | Colocation (aff)
A joke I know, but I kinda feel that way. 90% of the website would do just fine with static on a CDN
#DeleteWordPress
#DeleteWHMCS
ServerFactory aff best VPS; HostBrr aff best storage.
I write articles on parchment and send pages via messenger pigeons upon request.
Still, there's always eagles and racoons, so no system is 100% hack-proof...
Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
BikeGremlin's web-hosting reviews
no system is 100% hack-proof...
Air gap with an army of mother-in-laws standing guard. Check and mate.
The theme source code is not publicly available so it's hard for the general public to verify themselves (which is probably a good thing). There seems to be no CVE tracking this issue isn't it?
That said, getting pwned by unrestricted file upload in the [redacted] functionality is an incredibly rookie mistake.
https://lowendtalk.com/discussion/192812/hostus-critical-whmcs-data-breach
Speaking of the devil