Tim thumb hacking in Classipress V. 3.1.4?
We are running WordPress 3.5.2 with Classipress version 3. 1.4. Several months ago we got notice from our host that our server had some kind of bot running that was sending spam. We quickly tracked it down to a wordpress install running Classipress 3.1.4. I saw that "flickr.com" folder had been installed on server some how and I deleted it. I changed all the passwords, etc, etc but it still comes back. The malware scanner also indicated that it was a possible tim thumb exploit so we updated those files as well. No matter what, once every month it restarts again. I have no idea how they are getting in. It's not by FTP so it must be some kind of exploit in the theme. We made many customizations to the 3. 1.4 theme files so upgrading the theme is not an option at this point.
Has anyone else had this problem and know what hole to close?
Thank you.