I can’t say for sure, but I think it’s some sort of a tinyMCE exploit. However, the hackers seems to be targetting WordPress sites only. The WP blog that got infected on my server didn’t have TinyMCE anywhere in the front end, so there must be some WordPress weakness that allows the hackers to access tinyMCE and use its exploit…
Many people have been affected by this hack in September 2011, including me – my whole hosting account was infected.
You can read the full info from my investigation in my blog: http://www.marinbezhanov.com/web-development/6/malware-alert-september-2011-sshell-v.1.0/
Also, these guys have been kind enough to create a script that cleans up your installation files from the malicious code: http://www.php-beginners.com/solve-wordpress-malware-script-attack-fix.html
