This server only runs wordpress blogs and somehow a script is placed at the bottom of my index page on a number of these blogs.
If you hit the site the script tries to pull a pdf file from a chinese site. The actual call is mirain.cn/sv/pdf.php?f=all.
I think, but I haven’t completely confirmed this, that only sites that I have ftp-ed to in the last little while are infected.
However, my main DreamHost user has close to 100 sites on it. So, if it gained access to one, it has access to all.
The frustrating thing is that I have removed the script off a couple of my sites, but the virus always comes back. So, obviously, the virus is calling the script somewhere else on the server.
Any help or suggestions would be greatly appreciated.