Coming a bit late in on this one....
We had this all over another shared server for my work [not HostNexus] been fighting it for a few weeks before this thread, even.
Actions taken:
- Delete unused wordpress, make sure others are updates.
- Checked the users to ensure that they are no suspricious ones,
- Looked for all *.php files containing "eval(base64_decode(" (without the quotes) ; these are about 6 lines long and are the entry point.
- And then comes the hard part - establishing what has changed
. The hacker on the shared server we used liked injecting scripts into the HTML, so we just hunted for "document.write(unescape(" (without the quotes) and, once ruling out the Google Analytics code, we found some of the damage.
- We set a monitoring script to establish when a file was updated (this e-mailed several of us, plus the last few entries in the log file - and is how we're picking off the entry points)
- Finally set permissons to lock down what could be written to. One downside of running PHP as fast-cgi is that PHP runs with the same permissions as the ftp-user; if you run as a module, then it runs with Aapache permissions and these are easier to lock. We also set permissions so that other users on the server couldn't write to our area.
A right pain - but that's the downside of "free" software.
- Need Support? Quickest reponses are found at the 
Linear Mode
