Same problem here. I’ve had a dozen sites hacked, about half of them running on Textpattern (some updated to the latest version, but some not) and the other half on MODx (all of them updated). So it does not look like it’s a problem with a particular piece of software, but a server wide issue.
The hack corrupts all php files and creates a .logs directory with a txt file inside listing a bunch of subdomains of rr.nu.
By now I’ve have manually cleaned most of the sites, by deleting all corrupted files and uploading clean versions, and it seems to work (if you do not forget any “bad” file in the server. In this case, it corrupts everything again).
Right now I’m trying the script suggested by zildjian above in a MODx install. I would say it works all right, but the config file with the database connection has been wiped clean. After uploading a new one, everything seems to work (have to take a closer look yet).
The databases do not seem to have been tampered with, but after I finish cleaning I will change all the passwords for database users, just in case.
Should I be doing anything else, or will this be enough?