Please remove

[Ziggywigged]

-deleted-

[cb2004]

Do you have any other scripts installed? Like Coppermine or something?

[cb2004]

What modules do you have installed?

[Pierre M.]

...the access log file is over 1GB (is that normal) but what in particular should I be looking for?

Look for strange query strings (junk after '?'). The first ones. It is even easier when pretty URLs are activated.

Kind request to a pretty URL :

Code: Select all

"GET /aboutus/locations.html HTTP/1.1" 200

Strange request :

Code: Select all

/some/path/to/page.html?evil_parameter=1bad&some=http://junk...

Search for double slash, stars or path to /lib, /admin etc.

Filtering bad requests I get :

Code: Select all

"GET /cmsmsfolder/ HTTP/1.1" 200
"GETorHEADorPUTorPOST /cmsmsfolder/?// HTTP/1.1" 403
"GETorHEADorPUTorPOST /cmsmsfolder/?* HTTP/1.1" 403

Remember the "small security guide".

Pierre M.

[Dr.CSS]

If this was an upgrade then they might have loaded something before the upgrade that allows them to get back in, you may want to delete all folders, except your images making sure nothing untoward is in Uploads etc., then reupload fresh set of folders/files, check config.php for bad entries...