londrum - 8:48 am on Aug 27, 2010 (gmt 0)
i wouldnt be so quick to blame wordpress. you said that other client sites had it too, and they were just straight HTML which didn't use wordpress -- presumably they don't use a database either, so the hack can't be in there. so maybe it got in through them.
sounds like the hack is installed on the server, rather than each individual site, so any of the sites on the server could have been the front door. all it normally takes is some kind of form.