I have found where in my logs that they have been gaining access. Sadly and I think perhaps its confusing because it took a couple of scans to clear everything away.
GET /wp-admin/admin-ajax.php action=revslider_show_image&img=../wp-config.php 80 - ( IP ) Mozilla/5.0+(Windows+NT+6.1;+rv:34.0)+Gecko/20100101+Firefox/34.0 200 0 0 1062 ( always starts with this to gain access to the wp-config.php file )
But hey once compromised I have no idea how far they gained access to my server and whether or not my database has been messed with. It is not really helpful to just come along and say something is not possible, you can't say for certain how they are getting in or what they are doing once they are there. I saw 404 errors with attempts and re-infections, I shut it down at that point. I also don't feel IIS logs things very well, I have personally seen things not logged fully so it is most likely there were 200 codes that never made it to the log? Something for which I need to address on the server side of things.
But it still remains unanswered for me. I don't think I have the revslider plugin in any of my files. I'm using my own child theme, so if anyone can point out what plugin may have it I am all ears and I am sure the original thread owner would like to know as well what exactly is vulnerable here. I am thinking I have to sanitize my sites with fresh wordpress files and plugins and get a clean database with new passwords. Then go about check listing and hardening everything. Not something I am looking forward to.