Attacker placed backdoor script in WP root folder

WordPress server was infected with malware that enabled the attacker to create a subfolder with malicious (phishing) content.

After building a new server (LEMP + WP4.1), and copying the mysql dump plus the wordpress directory structure, the attacker resumed his activities on the new machine.

A special script called “phpinfo.php” in the wp-contents folder was actually a kind of control panel that the hacker could log on to, and which probed my server in various ways, and offered a menu system for him to do various tasks, like upload files and check the security settings.

What should be my next steps? I am now building yet another server from scratch, and presumably will have to sift through all the code I have changed. This is the theme (which I have modified extensively) and one of the plugins (also modified quite much). Other than that code, I can use new installs from trusted sources. But the theme and the one plugin must be copied over for production reasons.

I am now reading as much as I can and of course running scans of all sorts, rkhunter, chkrootkit and scans offered by wordpress plugins. None of these have been able to discover that the machine is in fact compromised, so I have quite low level of trust in such virus scanner programs – at least for this particular attack.

Also: is it possible to paste this hacker program somewhere for someone knowledgeable to study it and tell me what it is and how it entered my server? I don’t want to post it on the web, not to distribute malicious code.