2012 php eval(base64_decode hack issues

I maintain about 30 websites mostly with at least one wordpress installation in each. (I am embarrassed to confess.. Some have been better kept up to date than others… However, I’m FIXING THAT!)

I did not have gibberish in either my wp-config.php files or in footer.php that some other people reported with the base64 problem.

However, this code showed up this week at the very top of the index.php files
<?php eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw...followed by blah blah blah with lots and lots of letters and numbers!!

I deleted that stuff… and it scans clean with sucuri.net
but in a little bit.. less than an hour.. it all comes back.

I generally keep my wp installations in a different folder than the root directory. It seems to look like whatever is causing the trouble is also adding a second index.php where it THINKS that file should be.
Both have generally had the bad code.

It seems to be limited by user. So if my infected user has access to 20 sites, then 20 sites get infected.

If a different user has only one site.. then that site might not be infected.

Here’s what I’m trying.

I made a new user in my host account
Change the authentication strings in wp-config.php
(generating new ones here: https://api.wordpress.org/secret-key/1.1/salt/
delete the eval(base64 etc code
Then immediately change the user to a new clean one.

So far.. so good.