I’m still running checks, but it really looks like all they did was change the admin user name for this one site. They didn’t even attempt to log into the blog using the new user name! I don’t know if I just happened to find it just as they were doing it, or if that was all they intended to do. Frustrating as hell, but could have been worse.
To be safe I’ve disabled a couple older plugins that haven’t been updated in a while, so there’re a few things not working quite right as of right now, I’ll hopefully be fixing them in the next week or so.
Having said that, if you get malware warnings when trying to do anything here please let me know so I can check into it further! I THINK I’m clear, but I’d rather know right away if something goes wrong!