One of my sites has been the continuous target of the "Pharma Hack" - but it's using Drupal instead of Wordpress or Joomla. It is version 6, but it's updated to the latest version, and so are all of the modules that I have installed.
I've changed passwords, deleted offending files, completely redone the installation of the site, but somehow they continue to gain access.. This site is a non-profit organization and it's seriously impacting our search results on Google, etc..
You cannot trust any of the statistics or metrics that you get from the server itself. It may have a rootkit (more or less a POSIX-based euphamism for virus). If you absolutely must analyze the server, you'll want to analyze the traffic going out of your NICs. Use a TAP / mirror port and get ready to sift a bunch of junk. Sure, the server might not have a rootkit. It might be a simple matter to clean the server off. Sure, you could use something like Rootkit Hunter to try and rectify the situation.
I'll say it again: You can never trust what you see on that server again. You must go outside of it to find out what's going on.
Your best option will be to nuke it from orbit.
Rebuild it. Monitor every change to the file system. Learn about tripwire. Inotify too.
Read this ServerFault thread "My server's been hacked EMERGENCY." Twice. That is all.
