chrissweden

This is solved, it was whmcs trying to log into directadmin (server status thing) and it failed the login, how stupid of me

yes they uploaded some stuff to the main website which caused some images to redirect to other images. the leak was on a clients website which i removed. i only host 3 clients from like 6 years ago, we stopped offering webhosting since 4 years ago. it's not interesting to make another vps for just these clients, or so i thought... I don't see any new or altered files in the whmcs directory, i did a search for all the file by root and apache but none came up.

only one cronjob and that's the daily backup. I think it's some sort of mysql injection inside a whmcs table as it runs at the same time as the whmcs cron does.

Hi, One of my clients website got hacked and they left some stuff, I removed the client and most of the hackers stuff but I can´t find the script that is run through a cronjob. The cronjob starts at 19:40 which runs my WHMCS cron but at the same times runs the script. Also running the cron manually gives the same outcome. Should I look inside the WHMCS sql file? Or is it calling a script on the server at the same time? Seems unlikely as it only does the WHMCS cron... 2013:02:26-19:40:07: *** servers external ip has tried to login with an invalid username: '**hack-> Non-base64 authentication' *** 2013:02:26-19:40:07: servers external ip has tried to log in 16 times, unsuccessfully, this time into **hack-> Non-base64 authentication's account *** 2013:02:27-13:35:05: servers external ip has tried to log in 16 times, unsuccessfully, this time into **hack-> Non-base64 authentication's account *** 2013:02:27-13:35:05: *** servers external ip has tried to login with an invalid username: '**hack-> Non-base64 authentication' ***

I'm having the same problem, since upgrade. What a joke.