Got hit by similar iframe attack today.

Damage:
1. Got iframe inserts in root index.php (possibly more, quickly overwrote with clean WP install)

2. Got hidden and very obscured PHP backdoor in WP plugins dir, "blog" sub-dir. Check for this people! I would've missed it if I wasn't very thorough and checking everything few times - it didn't show in installed plugins.

What can I say about method:
1. There was no FTP involved, FTP log is absolutely clean as far as it goes.
2. I don't believe my home PC was compromised (confident me).
3. I had found actual intrusion in access log. How it went (as far as I can tell):
- hacker came from online service that looks for sites on same server (now I am worried about server having hole)
- blog home page loaded
- wp-login seems typed by hand and suddenly he is in admin
- manually uploads and activates backdoor plugin
- briefly checks plugin few hours later from another ip

Log fragment for those who want to take a look:
http://dl.getdropbox.com/u/58900/ip.csv

Weirdest part - it seems hacker just saw my blog for the first time, no previous visits, no poking around, no bruteforce attempts I can see. He just came by looking for site on specific server and somehow just logged in.

My conclusion - this was purely WP attack, hacker made beeline for WP login and he knew exactly what was he doing with that plugin.

Question is - where the heck is hole, in WP or in server. :(