Typically, cybercriminals will directly embed malicious iFrames on as many legitimate websites as possible, target server farms and affect the thousands of customers that visit them, or generate and upload invisible doorways on legitimate, highly ranked web properties, all in an attempt to monetize hijacked search traffic. Competition is fierce in this space, and DIY blackhat SEO doorway generators have built-in modules that allow cybercriminals to detect and remove other known web backdoors (shells) from the legitimate website about to be abused. http://alrt.co/10mLYGv
Takeaway: As cybercriminals get into turf wars on protecting and harvesting the infected hosts, they are devising DIY tools to detect a competing shell (backdoor), investigate other vulnerabilities and eventually clean the site of competing backdoors. The good news is that your site may not have that many vulnerabilities at the end of it. The bad news is that it will be guarded by a well-hidden rootkit to minimize detection by the cybercriminal.