Good

Sorry, I meant to post back about this before. It was an old wordpress theme called “famous” that my hosting service said was the vulnerability. My site uses the “graphene” theme but I had “famous” and a few other old themes installed but not activated. Lesson learned: Delete any themes you aren’t using and keep your current theme and plug-ins up to date to be safe. I jumped to the conclusion that the “enable media replace” plug-in was to blame and it was not so my apologies to Måns Jonasson. This is what hostgator said:

Our scans have completed with the removal of the malicious content on the account including:

File: `/home/erikwtn/public_html/home/wp-content/uploads/readme.php’
Size: 128803 Blocks: 264 IO Block: 4096 regular file
Device: 807h/2055d Inode: 219742219 Links: 1
Access: (0644/-rw-r–r–) Uid: ( 1256/ erikwtn) Gid: ( 1247/ erikwtn)
Access: 2013-03-31 21:44:38.000000000 -0500
Modify: 2013-03-31 21:44:38.000000000 -0500
Change: 2013-03-31 21:44:38.000000000 -0500

/home/apachelogs/erikwtn/eawmedia.com-Apr-2013.gz: 49.50.8.104 – – [31/Mar/2013:21:44:36 -0500] “POST /home/wp-content/themes/famous/megaframe/megapanel/inc/upload.php?folder=/home/wp-content/uploads/&fileext=php HTTP/1.1” 200 35 “-” “-“

They were able to upload the malicious content by exploiting a vulnerability in that theme(http://blog.sucuri.net/2012/06/uploadify-uploadify-and-uploadify-the-new-timthumb.html) but as it was removed the avenue of exploitation has been closed.

Please contact us anytime if you have any questions or need of assistance.

Timothy L.
Senior Security Administrator II
HostGator.com LLC

DONE