Originally Posted on the forums by:
kurieuo Here:
http://forums.whmcs.com/showthread.php?66951-Is-the-quot-powered-by-whmcompletesolution-quot-text-a-hacking-riskI find that I get a few visits to my website using the query "powered by whmcompletesolution" - for example:"powered by whmcompletesolution" "quality" inurl:cartcart.php whmcompletesolutionclientarea.php "powered by whmcompletesolution"intext:" powered by whmcompletesolution "+ inurl:cart.php?intext:"powered by whmcompletesolution" intext:powered by whmcompletesolution inurl:".*/*/submitticket.php" intext:powered by whmcompletesolution inurl:cart.php?a=view inurl:"cart.php?a" intext:"powered by whmcompletesolution"inurl:"cart.php?a=" intext:"powered by whmcompletesolution"inurl:submitticket.php "powered by whmcompletesolution"...These are either people looking for samples of WHMCS sites or looking for sites using WHMCS that they can try hack into.WHMCS team: are you aware of this?We don't mind promoting WHMCS as our billing system so that's why we didn't get the non-branded version, but just dislike that it attracts this sort of traffic. So I was thinking... maybe if the "powered by whmcompletesolution" bit were an image rather than text, maybe it would be harder for hackers to find WHMCS sites. I guess, they could use Google image search to find the sites still... d'oh... or how about if the powered by was written with javascript? [img]
http://forums.whmcs.com/images/smilies/smile.png[/img]Anyone else have ideas?
5 Comments
Login to post a comment.
This way there is no way to do a simple search of
"Power by WHMCS"
Chris: "Refactoring this would not disable the ability for someone to look up
WHMCS installations, but instead require them to use an alternate search
term that is just as effective. "
Those other alternate search terms also needs to be disabled. Changing the names of common files with an option to change them after install would help solve this issue.
Maybe have some file that list all of the files and have a way to change the name and using the file to reference the file names that were changed.
Have to also have a way to protect that file too.
Hackers are lazy generally and uses Google to find their exploit sites.
If a hacker can not find your site using Google there is a 95% chance you will not get hacked.
They will simply go with sites they can find on Google, they don't go out of the way normally to find random WHMCS sites.
Also WHMCS installs needs to have robot.txt files in there to help prevent Google and other search engines from indexing senitive files in the first place.
The "Powered By..", while can be searched directly for via Google, is not the sole way to identify a WHMCS installation against other platforms - or custom built. Refactoring this would not disable the ability for someone to look up WHMCS installations, but instead require them to use an alternate search term that is just as effective.
In aims to security, ensuring that your WHMCS installation is always up to date as WHMCS continues to focus on security both internally, and working with security agencies. Additionally, focusing on the security of the Server itself, including but not limited to ensuring PHP/Apache is hardened, and care is taken into the access you allow to the server where WHMCS is installed.
As soon as the line is changed in such a way as it cant be unique then the would be "hackers" would simply change there method to match the new factoring.
There are also other for want of a better way, "give-aways" that whmcs is being used that could be used instead. I wont go into them im not commenting to hand out ideas, but lets just say no matter whether you are branded or not and whether you are customised or not, the whmcs installation is very easily identified by other means than the link.
This just means in my view that security, patching and pre-consideration when developing are of higher importance than the branding.
Also WHMCS could use this to there advantage by changing the anchor text to something more valueable like billing system or something.