Russian invastion! My site got hacked

Hi there. I look after a site for a friend of mine and it seems to have been hacked.

At the foot of the her pages there is a script under the end html tag. This script attempts, and often succeeds, to send the user off to a Russian website that attempts to load some kind of PDF. The URL ends in getfile.php?f=vispdf

At first I thought maybe it was some dodgy plugin, she only has a few but she had a number inactive. So I went ahead and deleted all the inactive plugins then reinstalled all her other plugins, regardless of if they were actually showing as up-to-date.

The code remained.

I reinstalled wordpress.

The code remained.

At this point I called Midphase and spoke to someone who sounded like they hated life. They said because the wordpress install was not done through their control panel it was unsupported, goodbye.

I deleted wordpress

I deleted her database and mysql user.

I reinstalled wordpress using their one touch control panel, then reinstalled the theme (Dilectio) then the three or 4 plugins, then I manually reposted the 4 posts she had written.

Problem solved!

Until today. The script is back, the site sometimes attempts to send you to Russia and I am completely confused.

I have called Midphase again and this time I strongly suggested that while I am not Matt Mullenweg I think that maybe the problem is with their stuff and not mine. They said they would look at it, but I’m not sure I’m convinced they’ll be too hurried about it.

Is anyone else experiencing malicious scripts being injected into their blogs? Is this a wordpress vulnerability or a Midphase vulnerability?

It’s worth noting my manual install of wordpress was bang up to date. Their one tounch install is wordpress 2.6.1.

(The site in question is rachelhanley.com. Though please beware of whatever it’s trying to load if you’re using a PeeCee.)