PHP Injection Attack - how to best clean up the mess?

1.) Keep a repository of the files you are using for these apps (e.g. SVN or similar)

2.) Keep up-to-date as best as possible with each apps security updates (most have an RSS feed)

3.) Backup your DB's regularly

If/when the !@#$ hits the fan you can start over with a fresh copy of the DB and redeploy the code from SVN.

After your system has been comprised you really have only two options: audit every line of every application or reinstall everything. Since it sounds like these are all open-source or commercial programs you're probably better to re-install them all. There really isn't a better way to ensure you don't have a back-door in one of them now.

A security expert would likely recommend that you completely reinstall the OS too because you can't be certain that some code wasn't slipped into a place that will affect the OS, however if your permissions where setup correctly this may be overkill.

We make a complete directory listing, all drives and folders, to a text file each day.

It has helped us to discover what files have been twiddled, after the fact, in the past.

Not much help with where you are now, but might help in the future.

(Doesn't stop things faking their size/modify date, but will help to sort out the mess for things that don't bother)