ravage

I have been fighting this for about a year on installs at work. I traced it back to an occurrence in 2008 on one of the sites. A false user had been injected into the database. But the real source of the constant re- infection seemed to be….. “Hello Dolly”. Even though the plugin was inactive. once I found the code inside of it and removed it- the attacks stopped (fingers crossed) it has been 2 months sine I had to remove the crap from my indexes, headers, and footers- so I hope that was it.
I did, of curse remove the hidden user- but I did get hit again after that. I had to comb through basically ever .php file to find it.
Of course it’s possible that this exploit wears many masks- but if it happens- check you’re hellow dolly- since it’s in every install- it’s a really good target.