Matt W: I’m sorry that your site has potentially been compromised. We understand the frustration this causes and want you to rest assured that we are going to do everything within our capacity to help you out.
Matt W: By design, compromises are normally attributed to insecure permissions and/or application level security vulnerabilities. The goal of our “Security Team” is to identify a few ways that your site may have become vulnerable and offer you a best practice approach for you to apply to your application to remedy the issue.
Matt W: We recommend that you immediately take the following steps if you believe your website has been compromised:
Matt W: 1. Change all passwords (please make sure you are using strong passwords)
Matt W: 2. Backup the compromised data modify your directory and file permissions to ensure these exposures are corrected. If you need assistance setting your file and directory permissions, please do not hesitate to contact our Support Teams for assistance.
Matt W: 3. Identify what has been compromised
Matt W: 4. Find the vulnerability
Matt W: 5. Restore your content from a known, trusted backup source
Matt W: 6. Preventative/Counter Measures
Matt W: Please visit the following page to obtain more detail on these steps:
Matt W: http://cloudsites.rackspacecloud.com/index.php/Recovering_from_and_Dealing_with_a_Site_Compromise
Julian: so what can you do to help
Julian: I have taken those measures already
Julian: since we do not have shell access I cant do any sys admin type stuff
Julian: through FTP
Julian: can’t tail trace or grep
Julian: ?
Matt W: Generally you can copy the compromised data, restore to a clean copy, and trace the compromised files locally to find the vulnerabilities. Another option is to use cron to run a scripted commands.
Julian: I just replaced ALL the wordpress files with a fresh copy of the sofware and the problem STILL persists
Julian: from my research a lot of your customers have been hit with this issue
Julian: what level of support are you?
Matt W: We are responsible for the security of the servers, however the security of your website and it’s contents is something that you are reliable for. As I stated, we can certainly assist you in determining what may be causing your site to continue getting hacked. However this is something that will take some time and investigation.

Mind you it has been noted that this issue had been as a result of an insecure version of phpmyadmin running on their servers, so how is it our fault in the first place that our customer sites get hacked?
As noted here or here or here

I left the chat frustrated and disappointed. In the end a complete move away from the Rackspace Cloud was recommended to the client, and a VPS solution was recommended in its place for a fraction of the cost of a Rackspace account,  and with a lot more features and control. A big thumbs down for Rackspace and their “Fanatical” support claim they tout everywhere is just a marketing gimmick that just could not be further away from reality.

**UPDATE

After painfully manually looking at every singe file and line of code I discovered the following php include being called from within the ‘main.php’ file of the installed theme.

Looking at menu.is you guessed it, it was executing some nasty binary code.

NOTE: If you are being hit with this cloaking hack first thing I would recommend you do is disable XML-RPC publishing. Then scan your header.php file for anything that should not be there. Usually at the very top of the code.

For those with no shell access (like the fore mentioned) you have to download ALL of your remote files locally (P.I.T.A.) and scan them locally.

Time Lapse Charcoal Drawing from Julian S. on Vimeo.

Time lapse charcoal drawing.