WHMCS Mod: Dummy Admin

Wed, Jun 9, 2010

PHP, Programming

WHMCS

WHMCS

If you have any kind of head for security, you will have moved your WHMCS admin area to a non-standard directory. I have put this little selection of files together to put in the default directory (domain.tld/whmcs-install/admin). It looks identical to the real admin area (even at source level), the only difference being that it will log login attempts and password requests via the email request link.

Rather than putting these log lines in an obvious file that could be used to detect the fake page, the information is appended to an htaccess file (as a comment). For security purposes, the information that they pass is stored in a base64 encoded state, so if you would like to see what they entered, you will need to decode it (either with your own code or with some tool like this).

I have created each of the php files in the default WHMCS install (thanks touch & echo :-)) which all redirect to the login.php page (yes I could have used the .htaccess for this, but this version is more likely to work on the vast majority of servers, and is much easier to help people when they have problems). Files which contain more complex code are

  • login.php – handles reminder system (and logs reminder requests). Displays correct HTML for each error / form etc..
  • dologin.php – Logs login attempts
  • licenseerror.php – Set up to mimic the original. Even mimics a user trying to change the license key ๐Ÿ™‚
  • accessdenied.php – For some reason, and user can access this file when not logged in, so I just copied the source over
  • logout.php – Logout can be seen by any user, so I’ve just copied the source over again as with accessdenied.php

Install Instructions

  1. Move your WHMCS admin area (Instructions on the WHMCS Documentation here)
  2. Download the projectย here
  3. Unzip the file and upload the admin directory to the root of your WHMCS installation
  4. Set the .htaccess file to beย writeableย by your web server (probably 666)
  5. Done! Take a look at your .htaccess file after trying to login

If you would like to link to this mod, please link to this post (http://ben90.com/2010/06/whmcs-mod-dummy-admin/)ย and not directly to the file. Please don’t create mirrors either, The latest version will always be available on this page, and I can ensure that the version on this page is not tampered with!!

Disclaimer: I am providing this code free of charge, anyone is welcome to use it, modify it etc. I accept no liability for any damage caused by using it. If anything goes wrong, don’t blame me!

If you have any questions, queries, or would just like to say thanks ๐Ÿ™‚ Please leave a comment below!

Update: I’ll start listing feature suggestions below and build them in as and when I have time ๐Ÿ™‚ If you have any suggestions, leave a comment!

  • Admin module – display details used by hackers & some stats too, possibly build mod to display some overview on the admin homepage – Getting there with this now, teaser:

    Dummy Admin Module

    Dummy Admin Module

,

25 Comments For This Post

  1. Josh Says:

    Very useful mod!

    Might be worth making an admin module in WHMCS for the admins to decode automatically and view in a easy way? Just a thought, but good work!

  2. Ben Says:

    Thanks for the comment. An admin mod shouldn’t be too difficult to build for this. I’ll bring one together when I get some free time! Keep the feature suggestions coming ๐Ÿ™‚

  3. Aaron Schimek Says:

    I didn’t realise it was possible to go into so much detail on a small matter, thanks again!

  4. Kevin Says:

    We have had lots of issues with bruteforce attacks and such. Thanks so much, this is wonderful!

  5. Michael Says:

    Where is the link for the admin modual? id love to get a cop of that, thanks

  6. Ben Says:

    Hi Michael,

    I’ve been really busy over the past months and never managed to finish it off. If I get a few mins, I’ll finish it off and upload it.

    Ben

  7. Steven Says:

    Any update with the Admin module? Do you need a beta tester?

  8. Ben Says:

    Hi Steven,

    To be quite honest, I haven’t done any more work on it since the first version (when I took that screen shot). It works pretty well in it’s current state but:
    1) I’m a perfectionist, so I won’t release it until I believe its ready
    2) It takes time to tidy up the code and package it all up (and I don’t have much free time at the moment)

    Ben

  9. Steven Says:

    Ok, thanks for your reply. Can you please email me when you have released it? I also have to say thanks for such a good script.

  10. mknjhill Says:

    Id like a email too when an admin modual is created. thanks for this mod too!!

  11. Hushar Says:

    Hi Ben,
    Thank you very much for such a nice free mod.. ๐Ÿ™‚
    We all are definitely looking for update..

    Thanks again for your kind efforts..

  12. Lasse Says:

    hi there

    i think this is very clever and should be a part of whmcs.
    one thing i dont understand though is why there is so many files?
    i mean, shouldnt there just be the login page, which of course wont work, but instead log all activity.

    looking forward for your reply

    regards

  13. Ben Says:

    Hi Lasse, Thanks for the comment.

    1) There exactly the same number of files as the default admin area. To make it un-detectable, this is necessary.

    2) If everyone used this mod and it was part of WHMCS, it would be pointless as hackers would expect it.

    Ben

  14. Miguel Says:

    Thank you :).

  15. Chris Says:

    Any idea when this will be finished – great looking module man ๐Ÿ™‚ well done.

  16. Ben Says:

    Hey Chris,

    I’ve had some big projects on over the past few months, so haven’t had any time to put into WHMCS module dev. I should have some free time next month though, so I will hopefully have time to rebuild this and also a few other mods (I have a few that I started, but never released!).

    Cheers for the interest, and make sure to check back here for updates!

    Ben

  17. Niels Says:

    Thanks for this AWESOME mod! ๐Ÿ˜€
    Would be more realistic if there were the language dropdown box also?

    Great job! ๐Ÿ˜€ looking forward to the update ๐Ÿ˜‰

  18. Lupael Says:

    gr8 work. Thanks a lot ๐Ÿ™‚

  19. ilter Says:

    I tried that on a windows 2008 R2 server. But the login.php under the admin folder doesn’t open and gives an 500 internal server error.
    I gave the IUSR write permission as needed, what else should I do to make that work? Any help is appreciated! Thanks in advance…

  20. Ben Says:

    Hi ilter

    I’m sorry to hear it’s not working. I’m afraid I don’t have a Windows server to test with; It’s pretty basic code in it and I’m not sure what’s causing the issue. If you take a look in the error logs, you may find it to be a simple problem.

    To be honest, this really needs updating as it’s based on a pretty old version of WHMCS. If I’m lucky enough to get some free time, I’ll re-create it from the latest version.

    Ben

  21. Sam Says:

    Hi,

    First, nice mod ๐Ÿ™‚

    I have removed “base64_encode” from login and dologin file so that it can record usernames,passwords,emails in plain text in .htacess file.

    Is it ok and safe?

    Thanks,
    Sam

  22. Ben Says:

    Hi,

    It’s probably safe, but it opens up the possibility of code injection into your htaccess file. Might be worth changing the file the script writes to as well and then blocking access to it in your htaccess file

    Ben

  23. SomePerson Says:

    Just Curious here, I know this is a bit outdated and wanted to see if there is any needed updates for this. It is something we would like to add in as a “extra” piece of security, but also making sure its safe. I know its just basically “dead files”, but still has that “possibility” of being used for something.

    Maybe a little update on the “login page” to match the most recent “theme” of whmcs? Have it send emails when logins are attempted instead of having to read the htaccess file all the time?

  24. Dave Says:

    Is this still ok with the latest version if WHMCS?

  25. Ben Says:

    Hi SomePerson / Dave. I’m sorry, although I’ve not been active on this blog for some time. The reality is that if you have moved your WHMCS admin directory, you are already much more secure. This dummy admin doesn’t /really/ achieve anything useful.

Leave a Reply