I found that the WP sites could have been hacked using the Magic Shell script. You can find more information here:
http://iboughtamac.com/2008/03/28/protecting-wordpress-from-magic-include-shell/
Note that the information to remove the exploit is not the same in this case. Uploading a clean version of wp-includes/vars.php does fix it.
While doing the research to solve this, I found two extra files that had a similar script included (eval() of base64_decode()). They had been uploaded to a subdirectory on wp-content/uploads/ and were fonction.php and wp-links.php.
Good luck,
Tomi
Something for IT
