We recently installed a clients Wordpress website on our web server. It wasn't up to date with it's security patches and consequently it left the backdoor open on our server .. wahooo! The exploit creates a file named Thumbs.db in each document root that contains php code ready for some foul play. Naming the files as Thumbs.db is a rather sneaky tactic as it's a standard windows file and can easily go undetected as a threat.