Since I am among other things, a member of the Drupal security team, I sometimes get contacted about the security of particular modules or sites.
Today was such a day. A Drupal site developer had some suspicions about a contrib module being unsafe, since three of his clients' sites got "hacked". I asked about the symptoms and was told that a call to an advertising site got inserted into index.php.
This fact alone told me two things:
1) It is not Drupal specific; index.php is used by many PHP applications.
2) It is unlikely that Drupal was the attack vector used. Most systems do not allow the Apache user to modify PHP files.
A cursory look at the named module also didn't reveal anything particular unsafe.
I shared these observations with the concerned developer and I also suggested that somebody guessing the passwords or using a trojan might be responsible.