Shared hosting back door
Thanks to my friend Kevin McArthur for helping unveil this badboy, as it seems to be infecting quite a few machines. It appears that it was local machine attack, taking advantage of a world writeable directory hidden behind a not viewable home directory.
$ find . -name files.php
$ ls -la ~me
drwxr-x–x 8 me mygroup 4096 2011-10-05 19:22 .
$ ls -la ./connect/images/avatars/upload/
drwxrwxrwx 2 me mygroup 4096 2011-10-05 19:37 .
drwxr-xr-x 4 me mygroup 4096 2010-11-19 04:22 ..
-rw-r–r– 1 me mygroup 51 2010-11-19 04:22 .htaccess
-rw-r–r– 1 unpri Notmygroup 23343 2011-09-05 14:22 files.php
-rw-r–r– 1 me mygroup 169 2010-11-19 04:22 index.htm
Now onto the juicy bits, check out files.php and then backdoor.txt.
UPDATE Jan 9th, 2012: I found a wp-template.php.txt in the root WordPress directory. It was called via @include in index.php that was cleverly nested right after the */ at the end of the intro 5 line comment.