As a footnote, for another package and a different attack, one suggestion posted on their forum was to add the following to your php.ini file:
allow_url_fopen=Off
allow_url_include=Off
disable_functions=popen,passthru,escapeshellarg,escapeshellcmd,exec,passthru,proc_close,proc_get_status,proc_nice,proc_open, proc_terminate,shell_exec,system,blob,exec,escapeshellarg,pfsockopen,stream_get_transports,stream_set_blockingIf you could discover the IP of the attacker, you could use the deny command in .htaccess like this (just IP samples):
order allow,deny
deny from 174.143.11.
deny from 91.123.195.
deny from 99.251.104
allow from allCheck your logs for recent visitors - the log should show what files were accessed and the IP. If it happened a few days ago, unless you archive your logs, you won't see anything more than a day or so old. You can download the logs, then add a .txt extension to open them.