Thankfully the hackers that did it weren't malicious and didn't want anything with the sites on the server, just the resources and bandwidth. So the site never had to come down, though the server load and bandwidth usage was through the roof for a couple days.
This may be old news for some, but I don't use WordPress much. If any of you are running WordPress anywhere, do yourself a favor and scan for TimThumb, even if you think everything is up-to-date. I did it like this:
grep -r allowedSites wp-content/*
If it turns up files like timthumb.php or thumb.php (or anything else), double check that they aren't vulnerable. Here's some more info:
While you are in your site files, do this grep as well:
grep -r base64 ./*
A lot of the scripts that I had to remove today were base64 encoded and eval'd, and this helped to track some of them down (among other searches). This will turn up some legitimate WordPress stuff too, but it's relatively easy to tell the difference. Assuming TimThumb was their entry point, they did a good job of hiding it. All the exploit code was elsewhere in other themes, plugins, cache files, hidden directories and more.
Since I lost so much time to WordPress and this issue today, I just wanted to post it in here in case anyone else runs into the issue. I'm just hoping I found everything...