my client's wordpress got hacked yesterday and I wonder if the hacker used some hole in TwentyTen theme. When I browsed through the wordpress files, I noticed that they had uploaded malware in two different folders. In twentyten/images there was a file called index.php which contained a password form. All the twentyten files were dated in October 2013. Yesterday evening they uploaded malware files in my custom theme folder, apparently using somehow the password form they had uploaded earlier. Unfortunately I don't have any log files from October so I cannot check how they got in back then. Both folders have 755 permissions.
List of malware files:
One of the files contained a comment line saying "Web Shell by oRb".
I managed to save the site by deleting all these files and I also changed all the passwords.
I don't know if this is the right place posting this but if someone has had a similar attack I'd be happy to know about it. My client has updated the wordpress whenever there has been a new version available, so this is not a question of outdated software. Also they don't have any special plugins (just AddThis Social Bookmarking Widget, Akismet, Google XML Sitemaps, Hello Dolly and Twitter Widget Pro - all are up to date).
Thanks in advance!