Hello,
I am quite concerned about something that has recently happened. I'll explain...
The other day I received a support ticket and when I logged into WHMCS to look at it, I noticed as soon as I opened the Support area that I was prompted by AVG that there was a threat. It was contained and removed. I removed the support ticket and banned the IP address.
Then today, I received another support ticket about 3 hours ago but was away and unable to get to a computer. I did notice though it was a PHP script when I was sent the notification. This time however, when I logged into WHMCS there was no support ticket open anymore.
Then I see in the Recent Activity that its stating a file was uploaded to the "Downloads" area called "indexx.php" which wasn't there when I checked. I took a screenshot though of the recent activity and will attach it to this post, I've also attached a screenshot of the PHP script.
So now I'm just going through my server reports and I just noticed there is a "WHM Root Access Notification" sent to my email. The IP address that was recorded in Recent Activity is the IP address that access WHM Root. Now I'm uncertain what to do and beside myself with fear that something is exposed to this guy that shouldn't be.
I'm not sure what I should do or how I should proceed. Could someone please help me out?
I am using version 4.5.2 and have updated the various security patches that were sent to me from WHMCS so I'm not sure how or why this happened.
Should I restore a backup? What are the possibilities this guy could have done? I'm quite worried. Thanks anyone who can offer me some assistance.
Kind regards,
Bryce
