Well now I know what the PHP files dropped on my server by spammers do – they send out masses of pornographic spam using my email. In 5 hours, they were able to send out 17,000 individual emails. These did NOT get caught by the email server because it was set up to trust locally generated mail (not any more) and because the internal anti-spam feature was looking for large volumes of mail from one address to many recipients. The scripts generated each email with a unique sender, so the counts never got very high.
For the benefit of those who may be similarly infected, here is a list of all the bad files I was able to find on the server. Note that in many cases, they are replacements of existing files they you would expect to find.
I found these by doing file content scans looking for common strings. Since they are relying on PHP to execute the code, they have to have some valid PHP in them. But the vast majority of the script is encoded and is decoded on the fly.
The only way I can see that the spammers broke in was by using a brute-force attack on the WordPress login screen. There is no “native” brute force protection in WP, so I added the very fine plugin “Cerber” which I highly recommend. I added it after I noticed a second brute force attempt with 84,000 tries in just under 3 hours (that is 8 per second!).
So far, the new longer, stronger passwords and Cerber are doing their job.
I gave a password presentation at MUGOO. That link points to a PDF of the presentation.