phil_denton

It probably varies based on the (infected) site. I used https://sitecheck.sucuri.net/scanner/ to tell me exactly which files were infected. In every case it was the last line of the file that had that nasty hex-javascript junk.

Oops sorry, this reply was REALLY late.

I just finished cleaning all the infected files off my site as well. Just FYI, I also found malicious code on my site in a “theme” called “config”. The folder had three .php files in it – yup, main, and configs. Be on the lookout for those also, just in case…