It is not a Drupal or WP security problem. We run a server only with custom CMSs and this morning in almost all index.php files the same code was added. The attacker (I guess it was automated, because it happened very quickly) logged in FTP, downloaded the index.php file and uploaded the “patched” one. And this was repeated very quickly for all the sites from the server.
We suspect that there is a virus/trojan that infects Win machines and collect saved FTP passwords. I have no other explanation so far. Check your FTP logs and see if there are suspicious FTP logins. Also, change the FTP passwords ASAP.
You can also try to search in Google for parts of this code. When I first searched – there was only 1 match – this thread. Now there are several pages of infected web-sites.
BR
