I am relatively new to WP, installing what was most current version in late March and updated during summer to 2.8.1 or 2.8.2 . Late last week I logged into the admin panel to enter a new post and I noticed this string of characters appearing in the permalinks.
Thankfully I didn't post and contacted my host. While waiting for a reply I discovered a new administrator had appeared. When I tried to click on the new admin, the entire entry disappeared. So I logged into my control panel and deleted this user from the database. I also noticed another user in the database who had a "user activation key" like I do and deleted that user.
Then I checked the permalinks settings and discovered the option had been changed to a custom setting that included the above string of malicious code. I deleted the code string and reset the permalinks to my original choice.
My host replied that things had been checked from their server side and all looked well, and then pointed me to an article on a site, indicating this incident was likely related to the recently discovered WP security issue.
Yes, lesson learned about using the most recent WP version because I upgraded either before deleting the unknown admin/user or afterwards.
Everything did indeed seem fine when I made 2 new posts. Then I realized the posts were attributed to another user with admin status that I did add. I checked the "post author" drop down menu and my name does not appear in it. Neither does my name appear in the "page author" drop down menu though I swore it did yesterday and this morning. I suppose if it did then and not now that my site is still open to the hacker.
Your help on how to fix this as well as general advice will be welcomed by this newbie.