This may have already been mentioned. But what I think these cheats do is use a custom bot to search the web for any and all pages (on a CMS or Blog, etc.) where they can exploit the page. I’ve seen these bots searching through my sites and they look for all sorts of weird doorways and directories. As soon as they get a positive result, then they move in for the kill. Script kiddies do this when they want to hack forums, etc.
Good news, out of the list above, only the following are still problems:
(plus duplicate ones from same host)
xxxxx/neumann.sk.tsukuba.ac.jp/plone/Members/janetbritn/poker-3.html
xxxxx/www.plone4artists.org/Members/victorcarl/poker-4.html
xxxxx/sp2000europa.org/Members/lisafawn/poker-8.html
xxxxx/lab2ipo.org/Members/oscarryan/casino-2.html
xxxxx/atomworks.org/Members/elainekimb/sherryjoy/
They are using Javascript to do the redirect. They are loading the src of the script from, you guessed it – xxxxx://seoexp.info/js/c060907.js If you want to see what these pages really look like, you can disable javascript and go to the links above. The Plone software is the perfect ‘host’ for this ‘virus’ because it gives the title, the meta keywords, meta description, everything that Google would require for placement.
If only we could do a search for all pages that include that javascript on google. This could give us an extra advantage for finding and reporting this crap.