It happened to me too
Last month we took on a new client with an old Magento site. It had been infected with something very similar, instead of "xurum.com" it referenced another compromised site. Because credit cards had been exposed and fraudulent payments were reported by CC companies there had to be a PCI-DSS audit to make sure every last trace of infection was scrubbed. The problem was every time we cleaned up the offending card skimmer it would come back, sometimes right away, sometimes after several hours.
It took a lot of debugging to figure out there were two things going on; First the infection was in a database trigger so that each time an admin user logged in it was recorded in a specific database table, that triggered the trigger, that would re-inject the card skimmer. It was bloody hard to find because the database copy we took for analysis only had the plain data, not the triggers or functions. Let that be a lesson for you all!
The site was just waiting to get compromised. Not only was it using older versions of software, but it also did not add vulnerable functions like "system" and "exec" and "shell_exec" to PHP's "disable_function" setting. This setting is annoyingly left empty by the PHP Group when they should make it most secure by default. They do disable "allow_url_include" initially which is the sensible decision. Magento could also check for stuff like this on installation and put it in their .htaccess file if necessary, but they never bothered. Popular management software like cPanel do set this to protect newbies.