Possible Duplicate:
My server's been hacked EMERGENCY

My Ubuntu 10.04 LTS VPS has been hacked, probably via a WordPress site.

I was alerted to it when I noticed the incoming traffic was unusually high.

A WordPress site was littered with eval(base64_decode(...)) code in lots of files. My fault, I had some files writeable by www-data which shouldn't have been.

I've disabled that site (a2dissite ... and restart Apache). This has reduced it but I am still getting some malware type traffic.

My server runs several WordPress and Drupal sites and a home grown PHP site.

I have captured traffic with tcpdump and looked at it Wireshark. It's reaching out to the login page of some Joomla sites, trying multiple logins.

The traffic stops when I stop Apache.

If I a2dissite every site and reload (not restart) Apache the traffic continues. At that point I have no virtual hosts running and no DocumentRoot in my apache2.conf so I don't know how Apache is still running something.

I have searched the other sites with grep for likely looking php code with no success.

I may have missed it but I haven't found anything suspicious in the Apache logs.

I have mod-status running. I haven't really seen anything much there except that someone is still trying to do a POST to the theme page on the disabled WordPress site but they now get a 404.

What should I be looking for? Are there any tools or whatever which would give me more info about how Apache is generating that traffic?

Thanks