amystasia on "Is my webserver compromised ?"

I too have been hit by this. I'm running a windows server box with iis. I am using a child theme of twenty fourteen so am thinking hey what plugins could possibly be using this rev slider stuff.

But I don't think it is in this list: ( correct me if I am wrong )

Akismet
All In One WP Security
Ban Hammer
Custom Login
Custom Meta Widget
Hello Dolly
Jigoshop
Redirect To Homepage
Responsive Lightbox
Wolf jPlayer
WordPress HTTPS
WP-Mail-SMTP
WP Hide Dashboard

Here are some of my log files.

GET /wp-login.php - 80 - (Offending IP) Mozilla/5.0+(Windows+NT+6.1;+rv:37.0)+Gecko/20100101+Firefox/37.0 200 0 0 1171
GET /wp-admin/admin-ajax.php - 80 - (Offending IP) Mozilla/5.0+(Windows+NT+6.1;+rv:37.0)+Gecko/20100101+Firefox/37.0 200 0 0 890
POST /wp-admin/admin-ajax.php - 80 - (Offending IP) Mozilla/5.0+(Windows+NT+6.1;+rv:37.0)+Gecko/20100101+Firefox/37.0 200 0 0 1968
GET /wp-content/plugins/revslider/temp/update_extract/revslider/info.php - 80 - (Offending IP) Mozilla/5.0+(Windows+NT+6.1;+rv:37.0)+Gecko/20100101+Firefox/37.0 404 0 0 1031
POST / - 80 - (Offending IP) Mozilla/5.0+(Windows+NT+6.1;+rv:37.0)+Gecko/20100101+Firefox/37.0 200 0 0 812
POST / - 80 - (Offending IP) Mozilla/5.0+(Windows+NT+6.1;+rv:37.0)+Gecko/20100101+Firefox/37.0 200 0 0 796

GET /wp-admin/includes/uploader.php - 80 - (Offending IP) Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1) 404 0 2 359

lots of this, scanning for stuff.. they get something here and run with it, I've seen in my logs revslider referenced here and yet I am not sure if it is in my word press dir or not? I have seen a 200 with an upload request. Hence my infections, So I shut everything down.

GET /wp-admin/admin-ajax.php action=nm_webcontact_upload_file 80 - (Offending IP) Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:26.0)+Gecko/20100101+Firefox/26.0 404 0 2 2109

Even with a 404 I had infections. Microsoft security essentials caught it. I have shut down my sites in the mean time.

More log stuff:

GET /wp-admin/admin-ajax.php action=nm_webcontact_upload_file 80 - Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:26.0)+Gecko/20100101+Firefox/26.0 404 0 2 2109

GET /wp-login.php - 80 - Mozilla/5.0+(Windows+NT+6.1;+rv:37.0)+Gecko/20100101+Firefox/37.0 404 0 2 343
GET / - 80 - Mozilla/5.0+(Windows+NT+6.1;+rv:37.0)+Gecko/20100101+Firefox/37.0 200 0 0 343

GET /wp-admin/includes/uploader.php - 80 - Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1) 404 0 2 359

But more like this before infection:

GET /wp-admin/admin-ajax.php action=revslider_show_image&img=../wp-config.php 80 - Mozilla/5.0+(Windows+NT+5.2;+rv:2.0.1) 403 4 5 187

Always infected after admin-ajax.php and anything following..