SeLLeRoNe
Super Moderator
Well, still remain that after they know the user they must find out the password, and, a good sysadmin would secure ssh access with a firewall that ban when too many sshd login fail appear... dont you think?
Serious Direct Admin Security Concerns + UDP Attack Script Installed
- Thread starter pucky
- Start date
zEitEr
Super Moderator
We do not put directadmin admin account into a billing system, we use a separately created reseller for these purposes. A billing system should run on a secured server (a dedicated server or VPS with a very limited list of services running there) isolated from accounts of your customers.
WHMCS requires the username and password of the admin to DA. This is the requriement if you want to gather account stats and or you want to use it to deploy system accounts at signup. I did not design WHMCS but that seems to be the only solution dont you think?
Modernbill is the same. When there is integration and account depolyment thats the solution they give you.
Modernbill is the same. When there is integration and account depolyment thats the solution they give you.
SeLLeRoNe
Super Moderator
Actually i suppose (not sure, i dont use WHMCS) that he want an account that can create accounts and that you can provide user and password you want.. so.. a reseller should work aswell too.. ofc a reseller cant create other reseller.. but... you should create another admin just for that use.. so your "main" admin will work if WHMCS get hacked has happend to you..
Regards
Regards
zEitEr
Super Moderator
I really doubt it. Please give us a prove link.
A reseller has no less permissions regarding gathering stats of an account, creating a new one, suspending/unsuspending and deleting existing.
zEitEr
Super Moderator
Any way it is not a wise thing to blame Directadmin that you was hacked (though it is a nasty feeling of being hacked). And now you've got a new experience and learned some new things (I hope you did), and it's up to you whether you going to cope the problem and keep going on. So you'd better take the best recommendations from here and start a new secured server for moving accounts, as your current server might need to get formated.
Arieh
Verified User
Like SeLLeRoNe said you need to restrict a new admin account used by whmcs. John linked the features on how to do it on page 2.
You could also pitch the idea at whmcs, they could make those scripts and make them available to their customers. But that probably takes time if they even want to. They should though.
If anything, its clearly an issue for whmcs. DA provides the means to restrict accounts for API purposes but whmcs didn't do anything with it, and apparently even encourages people to just fill in their full admin account.
You could also pitch the idea at whmcs, they could make those scripts and make them available to their customers. But that probably takes time if they even want to. They should though.
If anything, its clearly an issue for whmcs. DA provides the means to restrict accounts for API purposes but whmcs didn't do anything with it, and apparently even encourages people to just fill in their full admin account.
Last edited:
Hey, i didnt say i blamed DA that a whmcs script was to blame. Where did i say i blamed DA? I said, if you read my message from start to finish, that DA was insecure and it is, different story for another time. I said the guy logged into my phpmyadmin and grabbed the password and username. I did my own analysis on this from the start and i was correct.
Besides, my logs for WHMCS say that he didnt log into my WHMCS to click over into DA. There is no proof he logged into WHMCS as there is no record of him doing so. And he didnt wipe any logs clean because the logins for WHMCS follow in sequence of my previous logins. There is no record of him ever logging in there to start with. SO that theory is out.
He logged in directly from port 2222 http://domain:2222. How do i know that? Because its recorded as such in the history. In the history it shows that he logged into DA directly not though DA. Therefore iam to assume that he got my password stored in a DB and used it to log directly into my account.
SeLLeRoNe
Super Moderator
Actually he logged in phpmyadmin cause he had mysql login from cart bug i suppose, not related in any way to da and da is not insecure, is whmcs that had a bug and let a user be able to log in da cause whmcs store without much security the da login account.
Regarding server stats, again, create a second admin for that so... not too hard..
Actually btw a reseller can have system information on his page but im not sure is this you mean for "server stats".
Regards
Regarding server stats, again, create a second admin for that so... not too hard..
Actually btw a reseller can have system information on his page but im not sure is this you mean for "server stats".
Regards
zEitEr
Super Moderator
Why don't you test it and update us with your findings? How I see it, a reseller would be enough for all operations.
And here is what the official docs saying:
http://docs.whmcs.com/DirectAdmin
- Joined
- Feb 27, 2003
- Messages
- 8,437
Hello,
If anyone is interested, the Login Keys feature is essentially finished:
http://www.directadmin.com/features.php?id=1298
If you'd like to test it out, grab the binaries from the pre-release section:
http://help.directadmin.com/item.php?id=408
The application in this case, is that you can both restrict the IPs that this password is allowed to connect from (set it to the IP of WHMCS), and the commands it's allowed to run (set those to the commands WHMCS needs, or leave them blank if unsure).
I've done some basic testing with it, seems to be working correctly, but it's a significant code change, so there may be the odd bug still.
John
If anyone is interested, the Login Keys feature is essentially finished:
http://www.directadmin.com/features.php?id=1298
If you'd like to test it out, grab the binaries from the pre-release section:
http://help.directadmin.com/item.php?id=408
The application in this case, is that you can both restrict the IPs that this password is allowed to connect from (set it to the IP of WHMCS), and the commands it's allowed to run (set those to the commands WHMCS needs, or leave them blank if unsure).
I've done some basic testing with it, seems to be working correctly, but it's a significant code change, so there may be the odd bug still.
John
zEitEr
Super Moderator
Hello John,
Could we discuss the subject in a separate thread?
Can this feature be used with Multi-Server feature? Or we still be required to use passwords?
Could we discuss the subject in a separate thread?
Can this feature be used with Multi-Server feature? Or we still be required to use passwords?
- Joined
- Feb 27, 2003
- Messages
- 8,437
Yes, the Multi-Server setup is one of the main purposes for it.
Please continue discussion on this thread:
http://www.directadmin.com/forum/showthread.php?t=42709
John
Please continue discussion on this thread:
http://www.directadmin.com/forum/showthread.php?t=42709
John
NoBaloney2
NoBaloney Internet Svcs.
@pucky,
Are we still considering this a DirectAdmin security concern? Or does it appear to be an unpatched WHMCS issue? Or is it likely because of unpatched WHMCS? Please post the executive summary (one or two sentence) version.
Thanks.
Jeff
Are we still considering this a DirectAdmin security concern? Or does it appear to be an unpatched WHMCS issue? Or is it likely because of unpatched WHMCS? Please post the executive summary (one or two sentence) version.
Thanks.
Jeff