A friend runs tdomf and their wordpress site was just hacked with all content replaced. After a bit of tracking down I found the source which was a php file that somehow got uploaded from what appears to be tdomf plugin.
I found the file in this directory:
.admin.php and cmd.php
WordPress labes uploads and puts them in a folder based on the module that was the source. So this appears to be the valid source
I'm not sure if maintainers know about this but it looks like there is a major vulnerability in the module using some method of upload. I spent the past 4 hours trying to get things back up.