after month or two of living with a backdoor in the wordpress install on dailywireless.org, it has finally been found.
$ diff -r wordpress-2.8.4/ dailywireless.org/
Only in dailywireless.org/wp-admin: fonction.php
Only in dailywireless.org/wp-admin: wp-conf.php
Only in dailywireless.org/wp-admin: wp-links.php
a diff between dailywireless.org's wordpress code and stock 2.8.4 code showed no file differences but did show 3 untracked files. the ones listed above. they contain some highly obfusticated code which looks like
which decodes into the first of numerous layers of base64 encoded php.
once i had some of the code, i could google for it and found other people who have dealt with this kind of invasion before. the best resource I found is an automated web tool to decode the obfustication all the way down to the resultant PHP.
the backdoor was probably placed before the 2.8.4 upgrade using some older security hole. the backdoor remained after the 2.8.4 upgrade because the upgrade doesnt check for files that are outside the WP codebase.