Jump to content

Concerned about access


Recommended Posts



I am quite concerned about something that has recently happened. I'll explain...


The other day I received a support ticket and when I logged into WHMCS to look at it, I noticed as soon as I opened the Support area that I was prompted by AVG that there was a threat. It was contained and removed. I removed the support ticket and banned the IP address.


Then today, I received another support ticket about 3 hours ago but was away and unable to get to a computer. I did notice though it was a PHP script when I was sent the notification. This time however, when I logged into WHMCS there was no support ticket open anymore.


Then I see in the Recent Activity that its stating a file was uploaded to the "Downloads" area called "indexx.php" which wasn't there when I checked. I took a screenshot though of the recent activity and will attach it to this post, I've also attached a screenshot of the PHP script.


So now I'm just going through my server reports and I just noticed there is a "WHM Root Access Notification" sent to my email. The IP address that was recorded in Recent Activity is the IP address that access WHM Root. Now I'm uncertain what to do and beside myself with fear that something is exposed to this guy that shouldn't be.


I'm not sure what I should do or how I should proceed. Could someone please help me out?


I am using version 4.5.2 and have updated the various security patches that were sent to me from WHMCS so I'm not sure how or why this happened.


Should I restore a backup? What are the possibilities this guy could have done? I'm quite worried. Thanks anyone who can offer me some assistance.


Kind regards,


12-12-2011 5-41-43 PM.jpg

12-12-2011 5-42-54 PM.jpg

Link to comment
Share on other sites

Hello Matt,


I appreciate your response. I wasn't sure which might get answered first so I opened them both. I have already consulted the situation with you via support and I appreciate every second you've spent with me. I am now in the process of updating to v5 and checking the server for any new files. Thanks again Matt, you're great!



Link to comment
Share on other sites

It appears we were just affected as well. The user with the IP address '' just submitted a support ticket with the following code:


Code Removed.


It appears to have created a directory on the server, gained access to the configuration file, replaced the admin user and I'm not sure about what else yet.

Edited by w3designstudios
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated