It's taken the better part of two days now but I think I have cleaned up and re-secured the site as best I can for now. It was a very long very troublesome process. The spam files where littered in nearly every folder of the website. I am still unsure of how the access was gained but my suspicions are leading me to believe it may have been through an old unused wordpress installation that was on the server, the site had no links exposed to the rest of the site however so how it was found is still a mystery.

It and many other items are now gone and security settings have been raised on all subsystems of the site. Everything seems to be back in working order but will continue close monitoring for the time being.

The hack was fairly clever as it added the data gathering files along with an .htaccess file that redirected all 404 errors to the data gathering script. This means that the intruder only needs to try and access a non existent file in the directory in order to have his php script executed and import the remote code. This method also makes it stick out less in the web logs than it would otherwise. I thought it might be cute to modify the script and use it to send massive amounts of garbage data back to where it was sending the stolen server data but I think I will hold off on that for now;)