a customer has his wordpress blog hacked and small links to pharma sites in all posts.
I have found a lot of articles by searching for "wordpress pharma hack" - but I dont find any hacker php files (backdoors) they mention in the wordpress folders, also not the database entries that these articles mention (in wp_otptions table). So no trace at all.... except all these links in every post.
There are no additional plugins installed, so they must have gotten through the wordpress core.
Any input on what hack that could be (and how to fix it)