cPanel spam suspend with WHMCS ticket

whmcsguru

Chief Guru
Staff member
Jan 11, 2018
23
1
3
45
#1
Dealing with spam / malware is never easy. When dealing with a cPanel/WHMCS combination, welll, it's a bit more complicated. It often goes a bit like this.
  1. Login via SSH
  2. Find out which user is causing spam
  3. Suspend account
  4. Clean out spam
  5. Login to WHM
  6. Find out what user owns said spamming account
  7. Login to WHMCS
  8. Find out what billing user is associated with said user
  9. Send out lengthy notification of abuse and suspension
It would really be nice if this could all be done in a condensed version, right? RIGHT? Well, here you go (you're welcome). This will require a few steps initially, but in the end, it will pay off with one simple command to suspend/notify the user.

Step 1:
Place the following code in a file. This is an sh file

Code:
#!/usr/bin/env bash
#Command line tool to suspend account and notify user via ticket
shopt -s extglob
args=("[email protected]")
user=${args[0]}
date=`date +%F-%k%M`
function show_usage
{
echo -e "Syntax:
suspendacct.sh user";
exit 1
}
if [ -z "$user" ]
then
show_usage
fi
echo -e "Working with:\t $user";
/scripts/suspendacct $user 'spamming' 1
reseller=$(whmapi1 accountsummary user=$user | grep owner)
output="${reseller##*( )}"
realseller=${output:7}
echo -e "Reseller is:\t $realseller";
suspdomain=$(whmapi1 accountsummary user=$user | grep "domain:")
output3="${suspdomain##*( )}"
realdomain=${output3:8}
echo -e "Domain is:\t $realdomain";
owneremail=$(whmapi1 accountsummary user=$realseller | grep "email:")
output2="${owneremail##*( )}"
realemail=${output2:7}
echo -e "Owner Email is:\t $realemail";
ownerdomain=$(whmapi1 accountsummary user=$reseller | grep "domain:")
output4="${ownerdomain##*( )}"
ownerdomain=${output4:8}
echo -e "Owner Domain:\t$ownerdomain";
echo -e "Creating Ticket for $realdomain [$realemail]";
php /path/to/filename $realdomain $realemail $realseller $ownerdomain
The only thing you need to modify is the /path/to/filename . That is where you're going to place

Step 2:

Place the following code in a php file on your server somewhere.
PHP:
<?php
require_once("whmcs_abuse.inc");
$domain = $argv['1'];
$email = $argv['2'];
$email = str_replace(' ', '', $email);
$reseller = $argv['3'];
$odomain = $argv['4'];
print"Domain:\t $domain\n";
print"Email:\t $email\n";
$ticketsubject .= " $domain";
print "$ticketsubject" ;

$postfields = array(
    'username' => $username,
    'password' => md5($password),
    'action' => 'getclientsproducts',
    'username2' => $reseller,
    'domain' => $odomain,
    'responsetype' => 'json',

);

// Call the API
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url . 'includes/api.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 30);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($postfields));
$response = curl_exec($ch);
if (curl_error($ch)) {
    die('Unable to connect: ' . curl_errno($ch) . ' - ' . curl_error($ch));
}
curl_close($ch);
$jsonData = json_decode($response, true);
$array1 = $jsonData['products'];
$array2 = $array1['product'];
$array3 = $array2['0'];
//print_r($array3);
$clientid= $array3['clientid'];
print ("\nClient id: $clientid\n");

if (empty($clientid))
{
die("I cannot open a ticket. Please manually lookup reseller $reseller\n");
}


// Set post values
$postfields = array(
    'username' => $username,
    'password' => md5($password),
    'action' => 'OpenTicket',
    'clientid' => $clientid,
    'markdown' => 1,
    'email' => $email,
    'deptid' => $deptid,
    'subject' => $ticketsubject,
    'message' => $ticketbody,
    'priority' => 'high',
    'responsetype' => 'json',
);


// Call the API
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url . 'includes/api.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 30);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($postfields));
$response = curl_exec($ch);
if (curl_error($ch)) {
    die('Unable to connect: ' . curl_errno($ch) . ' - ' . curl_error($ch));
}
curl_close($ch);
// print_r($response);
// Attempt to decode response as json
$jsonData = json_decode($response, true);
$ticketid = $jsonData['id'];
print "Ticket id:\t $ticketid";

/*
Update the ticket to the necessary status. Must be done after ticket submission
Anything below here is optional
*/

$postfields = array(
    'username' => $username,
    'password' => md5($password),
    'action' => 'updateticket',
    'ticketid' => $ticketid,
    'status' => $ticketstatus,
    'responsetype' => 'json',
);





// Call the API
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url . 'includes/api.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 30);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($postfields));
$response = curl_exec($ch);
if (curl_error($ch)) {
    die('Unable to connect: ' . curl_errno($ch) . ' - ' . curl_error($ch));
}
curl_close($ch);
$jsonData = json_decode($response, true);
?>
Now, edit the first file. Point to this file in the last line.

Step 3:
One last file here. Call this whmcs_abuse.inc. Place it in the same directory as the file from step 2
PHP:
<?php
$url = "; # WHMCS url
$username = ""; # Admin username goes here
$password = ""; # Admin password goes here
$ticketsubject = "Abuse notification for";
$deptid = ""; #what department do you want this in
$ticketstatus = "Customer To Reply"; #what status do you want to place this in
$ticketbody = "Hello,
It's come to our attention that your domain  has been the target of some very abusive activity, causing your server to have an excessive email queue

Due to the excessive amount of spam coming from this domain, we've had to suspend this account.
Please note that you may unsuspend this, but we do require that until you resolve the issue, you make this site available to you and your employees only.
To do this, you may add the following to your .htaccess file.

```
<Limit GET POST>
order deny,allow
deny from all
ALLOW FROM your ip
</Limit>

```
Please note that you **must** run a full scan and update any vulnerable software, themes, plugins, or code in order to ensure that this does not continue.

This activity is most often caused by out of date, or vulnerable plugins , software, or templates. Please do ensure that your software, templates and plugins are all at the latest version and not vulnerable to any sort of hacking activity in order to ensure that this does not happen again.
Step 4:
Add your server's IP to the API IP Access Restriction list (admin -> setup -> security, toward the bottom of the page). Make sure to save your settings

Now, you have a working script. Assuming you've edited the first script, you've saved yourself a ton of time, and you can simply do the following to investigate and suspend spammers, assuming you named the script suspendacct.sh

Code:
suspendacct.sh username
This will suspend the account, send the informational email to the client, and save you a few steps in the process.

Note:
This line from the first script will remove the ability for the reseller to unsuspend this account:
/scripts/suspendacct $user 'spamming' 1
This is somewhat necessary I've found, as resellers tend to unsuspend and then not address the problem. This will force them to reply to the ticket, acknowledge the problem and let you know what they plan on doing to fix the issue.

You can change this to
/scripts/suspendacct $user 'spamming' 0
 
Top Bottom