WHMCS
If you have any kind of head for security, you will have moved your WHMCS admin area to a non-standard directory. I have put this little selection of files together to put in the default directory (domain.tld/whmcs-install/admin). It looks identical to the real admin area (even at source level), the only difference being that it will log login attempts and password requests via the email request link.
Rather than putting these log lines in an obvious file that could be used to detect the fake page, the information is appended to an htaccess file (as a comment). For security purposes, the information that they pass is stored in a base64 encoded state, so if you would like to see what they entered, you will need to decode it (either with your own code or with some tool like this).
I have created each of the php files in the default WHMCS install (thanks touch & echo :-)) which all redirect to the login.php page (yes I could have used the .htaccess for this, but this version is more likely to work on the vast majority of servers, and is much easier to help people when they have problems). Files which contain more complex code are
- login.php – handles reminder system (and logs reminder requests). Displays correct HTML for each error / form etc..
- dologin.php – Logs login attempts
- licenseerror.php – Set up to mimic the original. Even mimics a user trying to change the license key ๐
- accessdenied.php – For some reason, and user can access this file when not logged in, so I just copied the source over
- logout.php – Logout can be seen by any user, so I’ve just copied the source over again as with accessdenied.php
Install Instructions
- Move your WHMCS admin area (Instructions on the WHMCS Documentation here)
- Download the projectย here
- Unzip the file and upload the admin directory to the root of your WHMCS installation
- Set the .htaccess file to beย writeableย by your web server (probably 666)
- Done! Take a look at your .htaccess file after trying to login
If you would like to link to this mod, please link to this post (http://ben90.com/2010/06/whmcs-mod-dummy-admin/)ย and not directly to the file. Please don’t create mirrors either, The latest version will always be available on this page, and I can ensure that the version on this page is not tampered with!!
Disclaimer: I am providing this code free of charge, anyone is welcome to use it, modify it etc. I accept no liability for any damage caused by using it. If anything goes wrong, don’t blame me!
If you have any questions, queries, or would just like to say thanks ๐ Please leave a comment below!
Update: I’ll start listing feature suggestions below and build them in as and when I have time ๐ If you have any suggestions, leave a comment!
- Admin module – display details used by hackers & some stats too, possibly build mod to display some overview on the admin homepage – Getting there with this now, teaser:
Dummy Admin Module
June 19th, 2010 at 1:58 am
Very useful mod!
Might be worth making an admin module in WHMCS for the admins to decode automatically and view in a easy way? Just a thought, but good work!
June 20th, 2010 at 1:57 am
Thanks for the comment. An admin mod shouldn’t be too difficult to build for this. I’ll bring one together when I get some free time! Keep the feature suggestions coming ๐
July 4th, 2010 at 1:04 pm
I didn’t realise it was possible to go into so much detail on a small matter, thanks again!
September 8th, 2010 at 11:23 pm
We have had lots of issues with bruteforce attacks and such. Thanks so much, this is wonderful!
September 11th, 2010 at 12:32 am
Where is the link for the admin modual? id love to get a cop of that, thanks
September 11th, 2010 at 12:42 am
Hi Michael,
I’ve been really busy over the past months and never managed to finish it off. If I get a few mins, I’ll finish it off and upload it.
Ben
December 27th, 2010 at 5:39 am
Any update with the Admin module? Do you need a beta tester?
December 28th, 2010 at 5:48 pm
Hi Steven,
To be quite honest, I haven’t done any more work on it since the first version (when I took that screen shot). It works pretty well in it’s current state but:
1) I’m a perfectionist, so I won’t release it until I believe its ready
2) It takes time to tidy up the code and package it all up (and I don’t have much free time at the moment)
Ben
December 30th, 2010 at 3:28 pm
Ok, thanks for your reply. Can you please email me when you have released it? I also have to say thanks for such a good script.
December 31st, 2010 at 1:29 pm
Id like a email too when an admin modual is created. thanks for this mod too!!
January 24th, 2011 at 3:39 am
Hi Ben,
Thank you very much for such a nice free mod.. ๐
We all are definitely looking for update..
Thanks again for your kind efforts..
January 26th, 2011 at 11:41 pm
hi there
i think this is very clever and should be a part of whmcs.
one thing i dont understand though is why there is so many files?
i mean, shouldnt there just be the login page, which of course wont work, but instead log all activity.
looking forward for your reply
regards
January 27th, 2011 at 1:25 am
Hi Lasse, Thanks for the comment.
1) There exactly the same number of files as the default admin area. To make it un-detectable, this is necessary.
2) If everyone used this mod and it was part of WHMCS, it would be pointless as hackers would expect it.
Ben
March 29th, 2011 at 6:11 am
Thank you :).
May 14th, 2011 at 11:26 pm
Any idea when this will be finished – great looking module man ๐ well done.
May 15th, 2011 at 12:42 am
Hey Chris,
I’ve had some big projects on over the past few months, so haven’t had any time to put into WHMCS module dev. I should have some free time next month though, so I will hopefully have time to rebuild this and also a few other mods (I have a few that I started, but never released!).
Cheers for the interest, and make sure to check back here for updates!
Ben
November 2nd, 2011 at 5:47 pm
Thanks for this AWESOME mod! ๐
Would be more realistic if there were the language dropdown box also?
Great job! ๐ looking forward to the update ๐
January 6th, 2012 at 11:15 pm
gr8 work. Thanks a lot ๐
June 3rd, 2012 at 1:04 pm
I tried that on a windows 2008 R2 server. But the login.php under the admin folder doesn’t open and gives an 500 internal server error.
I gave the IUSR write permission as needed, what else should I do to make that work? Any help is appreciated! Thanks in advance…
June 18th, 2012 at 9:28 pm
Hi ilter
I’m sorry to hear it’s not working. I’m afraid I don’t have a Windows server to test with; It’s pretty basic code in it and I’m not sure what’s causing the issue. If you take a look in the error logs, you may find it to be a simple problem.
To be honest, this really needs updating as it’s based on a pretty old version of WHMCS. If I’m lucky enough to get some free time, I’ll re-create it from the latest version.
Ben
July 19th, 2012 at 12:18 pm
Hi,
First, nice mod ๐
I have removed “base64_encode” from login and dologin file so that it can record usernames,passwords,emails in plain text in .htacess file.
Is it ok and safe?
Thanks,
Sam
July 29th, 2012 at 9:02 am
Hi,
It’s probably safe, but it opens up the possibility of code injection into your htaccess file. Might be worth changing the file the script writes to as well and then blocking access to it in your htaccess file
Ben
April 30th, 2014 at 5:50 am
Just Curious here, I know this is a bit outdated and wanted to see if there is any needed updates for this. It is something we would like to add in as a “extra” piece of security, but also making sure its safe. I know its just basically “dead files”, but still has that “possibility” of being used for something.
Maybe a little update on the “login page” to match the most recent “theme” of whmcs? Have it send emails when logins are attempted instead of having to read the htaccess file all the time?
May 24th, 2014 at 8:31 am
Is this still ok with the latest version if WHMCS?
October 16th, 2014 at 12:34 am
Hi SomePerson / Dave. I’m sorry, although I’ve not been active on this blog for some time. The reality is that if you have moved your WHMCS admin directory, you are already much more secure. This dummy admin doesn’t /really/ achieve anything useful.