I usually don't get involved in messes like this... but here's a little something yanked from from our own logs:
50.46.111.187 manage.buyvm.net - [16/Jun/2013:02:51:56 -0700] "GET /centralbackup.php HTTP/1.1" 301 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36 AlexaToolbar/alxg-3.1"
Note the IP address.
Looks like that WHMCS Login Tracker is going to come in handy here:
EDIT: For anyone unsure what they're looking at here... that terminal window is just running a perl script that retrieves records from our billing panel logins, and puts it in a nice, readable table.
I would also like to note that as of 1017h of 09June, Clarke's services with us were terminated, and he was barred from further service. I disclose this to emphasize the fact that he had no reason to be "testing" an exploit on us (for a panel we don't even use).
And as for the rest of you that tried to 'test' on us as well... yes, I know who you are, and yes, it will impact your tenancy with us. Too late to claim "just watching your back".