Hacked – shell creating .htaccess files, redirecting to .RU sites

Unfortunately my last topic was closed within minutes of posting it, not allowing discussion or perhaps insight from someone who came across a similar bug.

Here it is

Recently I have been hacked. In miscellaneous folders, i have found .htaccess with garbage that redirects to miscellaneous russian sites. (well, english spamvertisements for .ru)

Upon poking around, it seems that a bad wp-xml.php file is allowing it to act as a shell. However, I do not know what infected that.

My suspect is some bad plugin. Most of my plugins are from WPMUDEV, and other known sources liek Modern Tribe, Gravity Forms, etc.

My themes are mostly from Themify, WPMUDEV (although most are old and outdated), and a few other paid sources. Very few free ones, and theyve been checked they the Theme Auth Checker, and reviewed manually.

Any ideas on what I can do to help hunt it down? Im running a Cpanel/Whm LAMP type box