As we mentioned last week:

...site owners who have had their sites compromised by Gumblar should keep in mind that while stolen FTP credentials appear to be the initial means of access, once that access is gained it appears the attackers are 'backdooring' the sites. This means that simply changing the FTP password won't be enough. Site owners will want to check their logs carefully for changes that may have been made post-intrusion. This includes checking things like htaccess, php_includes, and other configuration settings, as well as ensuring directory permissions are set appropriately.

Thanks to these 'backdoors', what we're really looking at here can only be described as a botnet of compromised websites. And a growing one at that. Even with the dip in traffic that occurs over the weekend, Gumblar compromised sites still grew another 10% since last Friday, now up a total of 246% from when we first began tracking the increase just over a week ago.