I have just had 2 WordPress sites hacked by the addition of two files into the /wp-includes/js/tinymce folders and the insertion of HTML into the publicly facing files referencing those new files.
Here is the HTML found after the <body> tag:
The other site referenced this file:
These two files, drb-slider.js.php and jquery.rating.js.php are, of course, not part of the TinyMCE package that comes with WordPress, yet these files were inserted nonetheless in the attack. They contain rather nasty looking scripts that reference content on the IP address listed in this Norton warning:
Has anyone encountered this intrusion before? How would one go about preventing this from happening again?