Wordpress 2.6.5 is supposedly a secure version. Needless to say, I updated to WP 2.7, changed all the passwords (cPanel, FTP, email, MySQL and WP users), etc.
Upon audit, it seems that the attacker uploaded the code via FTP (scary!) and I could find no other evidence of tampering. I checked the plugins and users inside the Wordpress database, .htaccess files, etc.
I'm still scared and it's hard to believe that the hacker only did this as a warning or first step towards the second part of the hack (no doubt inserting spammy links, redirecting traffic, etc.)
Do you have any pointers as to what to look for and where?