My 2 sites are hacked. both in almost same way. my .htaccess is rewritten. and some fishy code is written in corn.php, install.php, update.php,authorize.php. Also a file wp-config.php,
All JS file in the all/modules were also written document.write(<iframe src=....)
does nay one has any clue.