WHMCS
If you have any kind of head for security, you will have moved your WHMCS admin area to a non-standard directory. I have put this little selection of files together to put in the default directory (domain.tld/whmcs-install/admin). It looks identical to the real admin area (even at source level), the only difference being that it will log login attempts and password requests via the email request link.
Rather than putting these log lines in an obvious file that could be used to detect the fake page, the information is appended to an htaccess file (as a comment). For security purposes, the information that they pass is stored in a base64 encoded state, so if you would like to see what they entered, you will need to decode it (either with your own code or with some tool like this).
I have created each of the php files in the default WHMCS install (thanks touch & echo 
) which all redirect to the login.php page (yes I could have used the .htaccess for this, but this version is more likely to work on the vast majority of servers, and is much easier to help people when they have problems). Files which contain more complex code are
- login.php – handles reminder system (and logs reminder requests). Displays correct HTML for each error / form etc..
- dologin.php – Logs login attempts
- licenseerror.php – Set up to mimic the original. Even mimics a user trying to change the license key
- accessdenied.php – For some reason, and user can access this file when not logged in, so I just copied the source over
- logout.php – Logout can be seen by any user, so I’ve just copied the source over again as with accessdenied.php
Install Instructions
- Move your WHMCS admin area (Instructions on the WHMCS Documentation here)
- Download the project here
- Unzip the file and upload the admin directory to the root of your WHMCS installation
- Set the .htaccess file to be writeable by your web server (probably 666)
- Done! Take a look at your .htaccess file after trying to login
If you would like to link to this mod, please link to this post (http://ben90.com/2010/06/whmcs-mod-dummy-admin/) and not directly to the file. Please don’t create mirrors either, The latest version will always be available on this page, and I can ensure that the version on this page is not tampered with!!
Disclaimer: I am providing this code free of charge, anyone is welcome to use it, modify it etc. I accept no liability for any damage caused by using it. If anything goes wrong, don’t blame me!
If you have any questions, queries, or would just like to say thanks Please leave a comment below!
Update: I’ll start listing feature suggestions below and build them in as and when I have time If you have any suggestions, leave a comment!
- Admin module – display details used by hackers & some stats too, possibly build mod to display some overview on the admin homepage – Getting there with this now, teaser:
Dummy Admin Module
June 19th, 2010 at 1:58 am
Very useful mod!
Might be worth making an admin module in WHMCS for the admins to decode automatically and view in a easy way? Just a thought, but good work!
June 20th, 2010 at 1:57 am
Thanks for the comment. An admin mod shouldn’t be too difficult to build for this. I’ll bring one together when I get some free time! Keep the feature suggestions coming
July 4th, 2010 at 1:04 pm
I didn’t realise it was possible to go into so much detail on a small matter, thanks again!
September 8th, 2010 at 11:23 pm
We have had lots of issues with bruteforce attacks and such. Thanks so much, this is wonderful!
September 11th, 2010 at 12:32 am
Where is the link for the admin modual? id love to get a cop of that, thanks
September 11th, 2010 at 12:42 am
Hi Michael,
I’ve been really busy over the past months and never managed to finish it off. If I get a few mins, I’ll finish it off and upload it.
Ben
December 27th, 2010 at 5:39 am
Any update with the Admin module? Do you need a beta tester?
December 28th, 2010 at 5:48 pm
Hi Steven,
To be quite honest, I haven’t done any more work on it since the first version (when I took that screen shot). It works pretty well in it’s current state but:
1) I’m a perfectionist, so I won’t release it until I believe its ready
2) It takes time to tidy up the code and package it all up (and I don’t have much free time at the moment)
Ben
December 30th, 2010 at 3:28 pm
Ok, thanks for your reply. Can you please email me when you have released it? I also have to say thanks for such a good script.
December 31st, 2010 at 1:29 pm
Id like a email too when an admin modual is created. thanks for this mod too!!
January 24th, 2011 at 3:39 am
Hi Ben,
Thank you very much for such a nice free mod..
We all are definitely looking for update..
Thanks again for your kind efforts..
January 26th, 2011 at 11:41 pm
hi there
i think this is very clever and should be a part of whmcs.
one thing i dont understand though is why there is so many files?
i mean, shouldnt there just be the login page, which of course wont work, but instead log all activity.
looking forward for your reply
regards
January 27th, 2011 at 1:25 am
Hi Lasse, Thanks for the comment.
1) There exactly the same number of files as the default admin area. To make it un-detectable, this is necessary.
2) If everyone used this mod and it was part of WHMCS, it would be pointless as hackers would expect it.
Ben
March 29th, 2011 at 6:11 am
Thank you
.
May 14th, 2011 at 11:26 pm
Any idea when this will be finished – great looking module man
well done.
May 15th, 2011 at 12:42 am
Hey Chris,
I’ve had some big projects on over the past few months, so haven’t had any time to put into WHMCS module dev. I should have some free time next month though, so I will hopefully have time to rebuild this and also a few other mods (I have a few that I started, but never released!).
Cheers for the interest, and make sure to check back here for updates!
Ben
November 2nd, 2011 at 5:47 pm
Thanks for this AWESOME mod!
Would be more realistic if there were the language dropdown box also?
Great job!
looking forward to the update 
January 6th, 2012 at 11:15 pm
gr8 work. Thanks a lot