You can disable the function chmod in php.ini, but you'll also have to deal with being able to do it with the shell, also.

Well I'm still trying to see exactly how they got into the site, I'm thinking it had to do with an old wordpress install as far as I've been able to tell, but they were smart enough to kill my personal logging so I had no record of IPs or page hits.

So I think I can deal with just blocking in the php.ini for now. Thanks for the info.

On the interesting side of this whole experience, they generated over 80,000 hits to my homepage between 10am and Noon. You think someone who could generate that kind of traffic in such a short period could make some good money running a legit site. Unfortunately, I'm not able to see how they generated the traffic as of yet.

You have another problem at hand:
"File ownership"
why did that person gain access?
the answer is in "setting permissions in apache"
G for the above exact sentence between the " "
and open the first link
very good info about file permissions.

I found some querystring injections into Wordpress that reset my password and let them into the system. From there I think they were able to take Wordpress apart and gain access to the server.

It was an older version of Wordpress, so I hope this problem is solved for 2.6+ or I'm in trouble because the same type of attacks are making their way to my other sites.