Actually got to do a fun forensic this morning:
some poor fuckers WP (you guessed!) site was a redwall of shame this morning, compromised by this lovely flaw:
https://blog.sucuri.net/2014/09/slider- ... oited.html
which leads to some crap being injected into every .js file.
Solution?
Restore from backups, happily this guy has backups.
oh change the mysql password too, as they have already read the conf.
If you have a site, anywhere that you care a little about, backup the fuck out of it!
For luck this site (the whole / with a few --excludes actually) is backed up daily (including mysqldumps pulled at midnight) that whole backup is then off-sited to my RPi, daily.