Because it's a CGI script, it doesn't seem as though there is an easy way to block this.
mod_security rules would block this, however you'd have to have a pretty specific rule, as you can't really block the filename, it'll change constantly.
WHMCS Guru - WHMCS addons, management, support and more. WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
Linux Problems? WHMCS Issues? +1-866-546-8914 (linux-14) or @whmcsguru on twitter!
Much of the the things in /scripts are not actually used in WHM. You will find that many of the times that WHM calls /scripts/whatever , the script itself does not exist and it is sending commands to a compiled binary instead of using a script in /scripts. That's what it is also doing whenever it access the nonexistent /scripts2 directory.
I'll add that those commands and nonexistent scripts are not usable from the command line for anyone.
You can use the ones that exist, like wwwacct, which doesn't complete it's task, but is runable for any user. However, adding privs to resellers is done in the manner I described above, NOT with one of the scripts in /scripts. Therefore, I would very much like to know how you accomplished adding root reseller privs to an account in this manner.
He was either allowed by your rules, or it's also possible that blocking 2087 doesn't do any good with the way stunnel works.
The remote access features are sort of an API for WHM, so you can control it from remote machines. When you look in root WHM and see 'setup remote access key', what you are setting up in there is an access hash that this guy managed to get a hold of somehow and used it to access your server.
This could be done if the person had rooted another one of your machines that had a dns relationship set up with this server.
Also, if your billing system creates accounts automatically, check your it for signs of compromise. Check the logs and make sure nobody's been messing with it. To me, that seems like it would be the weakest link to me and the most likely culprit.