I have a WordPress site that's been hacked twice now through sunrise.php and domain-mapping.php. There is a security exploit somewhere. Both times I've been hacked, I've had to clean up the top level directory of files placed by the hacker and update to a clean install of WordPress. I kept on trying to figure out why that wouldn't clear out the hack, then I replaced sunrise.php and domain-mapping.php and the hack disappeared.
Unfortunately, I overwrote the files without saving them down to look at them, but I know that that hack disappeared once I overwrote those files with new ones.
Someone needs to look into this asap. I'm not sure if it's an exploit in domain mapping or somewhere else, but that's what I've been experiencing, so it should be something that someone looks into for sure.