DigiRDP hacked

This discussion was created from comments split from: The Cest Pit of House LES - 2024 - The Sixth of Its Name - The Breaker of Chains.

Comments

  • Looks like DigiRDP got hacked based on the WHCMS theme exploit

    We regret to inform you that a security breach has occurred within our systems. It has come to our attention that unauthorized access to our MySQL dump has transpired, potentially compromising sensitive information. Following our investigation, it has been determined that the breach was facilitated by a vulnerability within the Lagom theme that we were using.

    As a precautionary measure, we are urging all users to promptly change their Digirdp client area and VPS/RDP passwords. This action is crucial to safeguard your account and ensure the security of your data.

    To effectuate this change, please follow these steps:

    Log in to your Digirdp client area immediately.
    Navigate to the account settings or security section.
    Change your password to a strong, unique one that you haven't used elsewhere.
    For VPS/RDP passwords, navigate to Services, open each active service, scroll down to settings, and proceed to change the password.

    We advise against using easily guessable passwords and encourage the utilization of a password manager to generate and securely store complex passwords.

    In tandem with this action, we are undertaking a comprehensive review of our systems and instituting additional security measures to mitigate the likelihood of similar incidents in the future.

    We sincerely apologize for any inconvenience this may cause you and want to assure you that we are treating this matter with the utmost seriousness. The security and privacy of our users' information are of paramount importance to us.

    Should you have any questions or concerns regarding this security breach or the necessary steps to be taken, please do not hesitate to contact our support team at [email protected].

    Thank you for your prompt attention to this matter.

    Sincerely,

    DigiRDP, LLC

  • vyasvyas OGSenpai

    @sh97 said:
    Looks like DigiRDP got hacked based on the WHCMS theme exploit

    We regret to inform you that a security breach has occurred within our systems. It has come to our attention that unauthorized access to our MySQL dump has transpired, potentially compromising sensitive information. Following our investigation, it has been determined that the breach was facilitated by a vulnerability within the Lagom theme that we were using.

    I was going to post that, glad you did it first. Indeed cest pit is a good pit stop before the Mods decide if a dedicated thread is required.

  • Am I seeing a recent trend of hosts getting breached through WHCMS itself?

  • No hostname left!

  • AdvinAdvin Hosting Provider
    edited February 2024

    @RachelMcAdams said:
    Am I seeing a recent trend of hosts getting breached through WHCMS itself?

    These breaches are happening purely due to addons/themes. DigiRDP used Lagom for WHMCS which is confirmed to have a security vulnerability. It's a popular theme across the hosting industry.

    I am a representative of Advin Servers

  • AdvinAdvin Hosting Provider
    edited February 2024

    I have personally been able to reproduce the same exploit in a test environment with an unpatched version of Lagom. It's an extremely simple exploit that allows anyone to upload basically any file.

    The best way to prevent such an exploit (without knowing about it) would be to install a WAF. The problem with this exploit and the last exploit with the HostX/ClientX theme somewhat stems from the fact that you can upload PHP files in some way. Using Cloudflare Pro (not free) WAF automatically detects PHP content in the POST request, which blocks both of these exploits from occurring, at least from what I could tell. I'm sure that there are other firewalls out there that perform similar functionality, like BitNinja. If anyone does go with the Cloudflare Pro route, make absolute sure that every request has to go through the WAF.

    I was unable to replicate the same exploit with Cloudflare Pro.

    I am a representative of Advin Servers

  • Mentally strong people write own website using compiled language.
    Upload PHP all you want but they don't execute.

    Thanked by (3)havoc bikegremlin lukast__

    No hostname left!

  • skhronskhron Hosting Provider
    edited February 2024

    @yoursunny said:
    Mentally strong people write own website using compiled language.
    Upload PHP all you want but they don't execute.

    Bro got fancy RCE due to poor memory management

  • havochavoc OGContent WriterSenpai

    @yoursunny said:
    Mentally strong people write own website using compiled language.
    Upload PHP all you want but they don't execute.

    A joke I know, but I kinda feel that way. 90% of the website would do just fine with static on a CDN

  • @havoc said:
    90% of the website would do just fine with static on a CDN

    #DeleteWordPress
    #DeleteWHMCS

    Thanked by (2)Micronode vyas

    No hostname left!

  • bikegremlinbikegremlin ModeratorOGContent Writer

    @yoursunny said:

    @havoc said:
    90% of the website would do just fine with static on a CDN

    #DeleteWordPress
    #DeleteWHMCS

    I write articles on parchment and send pages via messenger pigeons upon request.

    Still, there's always eagles and racoons, so no system is 100% hack-proof... :(

    Thanked by (1)host_c

    Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
    BikeGremlin's web-hosting reviews

  • @bikegremlin said:

    no system is 100% hack-proof... :(

    Air gap with an army of mother-in-laws standing guard. Check and mate.

  • edited February 2024

    @Advin said:
    I have personally been able to reproduce the same exploit in a test environment with an unpatched version of Lagom. It's an extremely simple exploit that allows anyone to upload basically any file.

    The best way to prevent such an exploit (without knowing about it) would be to install a WAF. The problem with this exploit and the last exploit with the HostX/ClientX theme somewhat stems from the fact that you can upload PHP files in some way. Using Cloudflare Pro (not free) WAF automatically detects PHP content in the POST request, which blocks both of these exploits from occurring, at least from what I could tell. I'm sure that there are other firewalls out there that perform similar functionality, like BitNinja. If anyone does go with the Cloudflare Pro route, make absolute sure that every request has to go through the WAF.

    I was unable to replicate the same exploit with Cloudflare Pro.

    The theme source code is not publicly available so it's hard for the general public to verify themselves (which is probably a good thing). There seems to be no CVE tracking this issue isn't it?

    That said, getting pwned by unrestricted file upload in the [redacted] functionality is an incredibly rookie mistake.

Sign In or Register to comment.