I maintain 6 WP sites. The site I admin that has been hacked is a medium sized online business. Users for a period of 30 minutes received notifications from Google that our website had become infected by a malware distro site: "ohzqyikp.myredirect.us". As a webmaster I verified by having Google check for malware. It says we are clean. But I knew we weren't.
The way I knew I was infected is the site no longer presented itself in the center, but became left justified. Pages also were no longer presenting -they showed up as blank. You could not reference the site from external links either (eg) from an email. I thought it was bad plugin interactions, so I disabled all plugins. This did not stop the problem. I tested our theme by installing a simple one on the site. Any theme had the same problem. This lead me to verify the wordpress code.
I found the malware in the code by doing alot of sifting thru the code.... It had changed the following file:
../web/content/index.php which kicks off WordPress.
The php code added by the malware is:
eval(base64_decode ('very long encoded string=='));
Then the rest of the site executes almost normally.
After removing that call which is at the head of the file, changing admin passwords on WP and servers, and getting the site back to normal, the code was added back in after about 2 hours. The site went back to the same problems again.
No surprise of the continued attack, but I can't find the hole/leak to stop this. I'm also concerned this could be a much bigger than me problem, due to the hidden nature of this virus.
Help me find how it is restarting again and again please!!