Re: [northernpenguin] Builder Vulnerability
Hi northernpenguin,
The entry point was likely an old wordpress install or the recent exploit that affects PHP in CGI mode.
See the following:
http://www.php.net/archive/2012.php#id2012-05-06-1
http://www.interactivetools.com/docs/cmsbuilder/how_to_restore_hacked_sites.html
To check if your PHP is running in CGI mode go to: Admin > General Settings > Server Info (header bar) > phpinfo -or- just use this direct link: admin.php?menu=admin&action=phpinfo and then see if "Server API" says CGI
Next, if you're comfortable with the linux command-line, you can try and grep those two IPs to see what other files they've accessed or what the entry point was.
Let me know what you find out or if we can help.
Dave Edis - Senior Developer
interactivetools.com