Quote Originally Posted by unspawn View Post
- Deleting foreign objects without first saving details (process, open files, network connections, time stamps, ownership, access permissions) is the best way to thwart any investigation.
Agree with this, and kind of regretted it as soon as I did it. I was just a bit panicked and was being rash. I knew that it would limit what I was able to do and how much help I was able to retreive from others.

Quote Originally Posted by unspawn View Post
- Given how web stack exploits work a compromise of (usually) the UID the web server runs as does not automagically make it to a full-blown root compromise.
Agree. I have have tightened up the permissions on the webserver directory and only made folders writeable where they need to be. I don't have anything "sensetive" on the server and I am confident that my data is OK.

Quote Originally Posted by unspawn View Post
- Suggesting a (full-blown root) compromise without actually investigation it is inefficient to say the least (I'll leave the expletives out).
I don't think I did this. Perhaps I should have put more detail about the entry point. Apologies for any confusion.

Quote Originally Posted by unspawn View Post
- Restoring from backup without checking contents first or re-installation without investigating first may easily expose the same loophole all over again.
I agree. I have not yet rebuilt the box (mainly because I don't have the time at the moment) but I have made sure that there are no unknown or dubious looking connections to the box (there was 1) and have patched up Wordpress to latest version (I was running 2.8.4). I will monitor the sitiation for now but so far I have not seen any more of the emails and no unknown connections.

Many thanks to all for all your comment on this. Much appreciated. I will try and make sure that I stay more up-to-date in future!!