WordPress MU Hacked — Inserted Plugin called Main.php

It seems that my wordpressMU site was hacked recently. YES!! I am running the latest version.

Here is what seemed to happen.

I looked in the plugins directory and discovered a file called main.php. This file displayed a form that could be used to send e-mail.

I suspect that what was happening is that when the site loaded, it loaded all the plugins. When main.php was loaded, it executed and displayed the mail form.

There were no changes to the blog metadata that indicated a new plugin was installed. index.php was not modified and no other changes to the database seemed to be made. No users were added to the blog as far as I can tell. The database seems to have not been touched.

Here’s the problem. I deleted the main.php file and all appears to be OK. However, I suspect that there is still stealth code that has been inserted that is looking for the main.php file and just not complaining when it can’t find it.

Can someone give me some guidance as to how and where plugins are loaded when the blog is first accessed? I need to track down if there is some other code that was changed so that the main.php file was being executed.