2.6 Got hacked by exploit?

Right, a little ‘Googling’ shows that a great lot of WP sites have a wpau-backup folder and it appears to be writable too, since I ran into one hack. The WP-hackers mailingslist discusses if this is a possible hacking possibility. I have used the plugin myself, but I have no such folder, so I guess the people who DO have the folder, didn’t use the cleanup function of the plugin.
In you case the hacker ran into the folder and was then somehow able to find your other files? THAT’s serious! You still have the wpau-backup folder, better start by deleting that one, have a look at the files permissions and find the article called “Hardening WordPress” in the “codex”/”docs”.

[edit] An interesting discussion about the subject can be found here.

Whoa. Well, what is the latest version? I used 1.2.2. Is there a more recent version than that to use for cleanup?

Also, I have the wpau-backup folder on my server now. It appears to be empty. Does that mean there’s still a problem to be cleaned up?

This seems to be the last one. 1.2.2 Indeed.
As far as I know, all previous versions urged to cleanup after the upgrade, but apparently not everybody did. I would advice to delete the folder when the upgrade is done (in my case, the plugin did so), even when it’s empty (there’s no use for it then anyway).
Bloubby, ALL folders put on the web are accessible. The problem is that we now all know that this folder is indexed by Google so everybody not doing what the plugin suggests is easily tracked down. Better to follow the instructions closely.

[edit] Keith. Just wondering. The WP Database Backup plugin seems to make backups without writing to the server (which IS optional but not recommended). Wouldn’t it be possible to make your backups that way too? That other plugin makes a backup, you save it to your PC and there’s nothing on the server, so no extra risk.