My customers site - http://lookingcloser.org. Continues to get hacked. Each time two files show up in wp-includes or wp-admin called stat and uploads (no extension on either). Somehow facebook and google pick up the code in these files as the cached code for the site. These files contain code that points to pharmaceutical sites, so that is what people see on facebook and google.
We've deleted the files 3 different times, but they always come back after a few weeks. Is there a hole we need to plug?