@ nettybet
If the hacker at you site always have IPs from Iraq, then it might be an idea to bloch that country in the htaccess file. You can then drop the htacaess-file in the root folder (blocking you whole site for visitors from Iraq) or just put the htaccess-fil in the admin folder to prevent access to that folder for Iraq-IPs.
@ Sven D.
Thank you! Their IP information is Win7
1366×768 Iraq Flag Irbil,
Arbil,
Iraq Evdo-subscribers-erbil (109.127.86.97)
@ Scott
I will send you private message with contact info. However, did you know their is a TimThumb plug-in to test vulnerability? A friend I forwarded your info to sent me this link: http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/
Curious what everyone thinks of this plug-in?
I had a similar experience, and i found the kit used with hacker, it was uploaded via vbulletin script security whole or (calender.php , faq.php , search.php)
this is the shell used with the hacking http://bit.ly/VOYDiI
its name is: (S a u d i S h 3 l l v1.0)
you should scan your server for this evil shell, and also scan all the accounts for a file (usually called script.php ) that is plant in many accounts on your server, and delete them all.
if you don’t find the shell, the hacker will be able to use it anytime he want.