Thanks, Exploit finds a lot of scary stuff.
I am not a pro programmer by any means. I have coded a little in a lot of old stuff. Now I just figure things out as I go.
Since I don’t read code well, I try to follow program execution logic. This led me through these steps which resoved the issue.
1. I removed all of the “weirdname”.php files in wp-includes
2. I removed the 20 or so “if” lines referencing the above files from the wp-config.php file
3. I removed the three offending tables in each blogs sql database.
4. I found some who said Jquery could be the hacked file. I reloaded the base wp-includes>JS folder.
5. I went into site admin and entered the backend of each blog.
6. Blog number 15 recreated the offending tables and inserted a line in the wp-config.php file. This blog’s theme was
which I probably got from one of the free download repositories.
6. After executing that blog it would recreate the tables in every blog which I accessed.
7. I deleted the theme and reloaded wp-includes>JS again
and now everthing is good.
Thanks for your help. Hope this helps someone else.
