You said you cannot find his IP in the customer web portal apache logs, your MySQL server is secure and you don't think it was via memcached server. It seems it may be by injection on the web portal.
I have his IP through the call record, as I have modified the a2billing agi to grep the peer Ip for each call and store it in cc_call, so, I grep it from there... in the customer portal, couldn't grep his IP from anywhere, I have searched in all log for that IP, or similar range IPs, nothing in secure, apache, mysql, nothing... even, mysql I have it restricted only for my network IPs, unacceptable from outside...
For injections, not really sure if I have it secured, I have only prepared statements, and the apache mod_security and mod_responsive, and the fail2ban sql injections filters... can't really assure if it's the best or if it's enough...!
Are you using the original A2B interface?
Yes, I use the original interface with some customizations in the customer portal, v.2.0.1. and the admin is renamed...