One of our clients sites was recently compromised, we suspect via a brute force attack. The attacker proceeded to somehow delete the entire contents of the uploads dir (whilst leaving the media library records intact). Upon investigation it materialised that there were records in the media library of several files having been uploaded. One called db.php and another called shell (without an extension) see here for screengrab of media library. My question is does anyone know how they managed to upload these malicious files, when the WordPress core is supposed to prevent .php and any files without extensions from being uploaded?
Incidentally the files that the attacker managed to upload were deleted, presumably it was programmed to self-destruct. So unfortunately I was unable to see the workings of the code inside them, otherwise this could have given some clues as to what needs to be tightened up to stop this in future.
I have now managed to restore most of the files, upgraded to 3.5 (it was running 3.4.2 before) and have put some security measures in place, including the Limit Login Attempts plugin and also obfuscated the wp-admin location as described here so hopefully they won't be getting in again but I'm just curious to know whether anyone else has come across a similar scenario and whether anyone knows how to close whatever the security hole is that allowed this hacker to upload these .php and a shell file?