I have two WordPress blogs which are under virtual subdomains on the same domain:
(both are in Finnish)
The content that the script writes over can be the blog home page, an individual post or page, and sometimes even a css style sheet. The script is not always the same, but looks somewhat like this:
It doesn't show up every time. Sometimes I have to browse around for a while before I can see it.
For two more examples (first one is the same as above), see:
What have I already done:
I replaced all the core files in both blogs with brand new ones from new WordPress download (it was version 2.8.4 already when hacked).
I examined my template files and didn't find anything suspicious.
I removed all plugins that I don't use.
I uploaded plugins Antivirus, WordPress Exploit Scanner and WP Security Scan to see if they find something. I corrected one chmod proposed by WP Security Scan (wp-admin/index.php to chmod 644). It also said "The file .htaccess does not exist in wp-admin/." Should I have one there?
Exploit Scanner found some suspicious "String.fromCharCode" and "shell_exec" from several files but those seem to exist in clean WordPress files too.
I have contacted my webhost (I am on shared hosting) and sent them basically the same info. No reply yet.
I have changed all the password (they were random generated before and they are still random generated).
I am the only one who has admin rights to the blogs and for last few months I have accessed them only from my own computer which runs Ubuntu. The other blog has one co-blogger but he has only editor rights.
Any ideas how to proceed and get rid of the code?