Yes, I have noticed that, but it’s important to point out that the ro8kfbsmag issue is NOT really a “WordPress” issue, IMHO. What I mean by that is that once ro8kfbsmag has found it’s way onto your server, it doesn’t need to rely on a vulnerability in WordPress or any other script to do its evil.
Granted, it may have found it’s way onto the server in the first place via an out-of-date/exploitable WordPress installation (which is what happened to by “webdesigner” client!), but its very nature as a PHP-shell means that the hacker has (or certainly could have) accessed your MySQL host, user, and password details which are readily visible once “in” to the file system of an unhardened WordPress installation.
Add to this other applications’ files that may be accessible to that program (like Joomla! configuration files, etc.), and you have a real problem.
I have not yet seen an “exploited” WP site running 2.5.1 that I am sure had not previously exploited before “upgrading”, and I suspect that ro8kfbsmag.txt might still be at play. From looking at the general level of knowledge and understanding of such things evidenced by many on the WP forums, I suspect many of those reports of a “hacked” 2.5.1 are really the result of just installing the upgraded/new version 2.5.1 site without:
successfully purging the culprit in the first place
changing the MySQL and WP users/passwords (which you have to assume the hacker now has)
changing the shell/ftp users’ passwords (as far too many people foolishly use the same credentials for shell, ftp, MySQL, and WP itself).
Without all of those steps being taken, it doesn’t really make any difference whether you upgrade to 2.5.1 or whatever - you will remain vulnerable, and the hacker will just just hack your “new” installation with the tool he left behind or your own credentials, which he now has.
Just one example of this type of a “recursive hack” is when you did successfully purge the ro8kfbsmag shell code, but you didn’t change the passwords - the hacker can just revisit your site and use your unchanged credentials to access WP, your shell/ftp account, and/or your database, and upload his payload again … and so on. This sucketh!
Edited to supply a resource:
This link is to “must read” article on ro8kfbsmag.txt and for those interested in securing WordPress.