I found a file in my theme, no-tp.php, that's a Russian hacker file. It was created October 13th, which should have been before the recent 2.3.1 bug fix.
Before I submit this as a problem, I'm trying to filter out whether others have had this same hack, or if I'm the only one and the problem is because of my own extensions.
Has anyone else found a file called no-tp.php in their theme directory? Anyone else recognize the file name? This was a rename of the infamous r57shell.php file.
The theme directory is not world writable. None of my WP subdirectories are. However, user was nobody, so it most likely came through via a PHP application, most likely WP.