I’ve been fighting this one for the past week. I found this thread and this one.
Using MalwareBytes, Windows Defender and Kaspersky, I scanned/cleaned my computer of all suspected trojans (MalwareBytes found several), I reinstalled WP, themes, plugins, changed passwords, manually scrubbed header.php in every site, but the thing kept returning. I finally installed WordFence on the advice of timcolman in the second thread above. I scanned all my sites. All were clean except one, which found these problems:
Critical Problems:
* WordPress core file modified: wp-includes/feed-atom-comments.php
* File appears to be malicious: _love.php
* File appears to be malicious: wp-admin/css/colors/ectoplasm/template.php
* File appears to be malicious: wp-content/db12.php
* This file may contain malicious executable code: wp-content/plugins/jetpack/modules/custom-post-types/portfolios.php
* File appears to be malicious: wp-content/uploads/2014/11/xml87.php
* File appears to be malicious: wp-includes/Text/Diff/Engine/user67.php
* File appears to be malicious: wp-includes/js/mediaelement/files36.php
Warnings:
* Modified plugin file: wp-content/plugins/contact-form-7-to-database-extension/CFDBShortCodeSavePostData.php
* Modified plugin file: wp-content/plugins/jetpack/modules/custom-post-types/portfolios.php
Where files were modified, I reverted to the original. Many of these had been stripped of the developer’s code and replace with hack garbage. Files that appeared to be malicious, I deleted. Be sure to check your uploads folders for PHP files and files you didn’t personally upload.
I’ve been monitoring my sites for a couple days now and they are staying clean. I suspect the one site was infecting all the others, as they were all housed within the same hosting account.
jt
