I recently cleaned this off of a client's web server...what a mess. The client had a ton of old unused files and folders from previous versions of their website (prior to using WordPress), so I archived and removed all of those. They also had three active WordPress sites on the server (one in the root directory, two in subdirectories), so I painstakingly went through all remaining files and folders removing the injected PHP from every file named
It is important to note that this script hit EVERY file on the server with those file names, even in unused plugins and themes. There were files in subfolders of
wp-admin, as well as in places you wouldn't expect deep within plugin directories.
I also deleted hidden files called
.. that would be generated in the root directory of each WordPress install any time the corrupt PHP was executed (in this case, when the mobile version of the site was loaded).
There were other suspicious files as well, with filenames that were just a random series of letters and numbers, or that contained the phrase
googlebot followed by a series of IP addresses.
The behavior of this hack on the iPhone was such that, when the site was loaded in the browser it would start hitting a series of redirects and launch the App Store so you couldn't close it out right away. Then, when you go back to the browser, it continues until it ends on a porn site.
I suspect this malware was designed to generate tons of web traffic and make someone rich rather than to steal data, but who knows. It didn't seem to affect the DB, but as a precaution I changed the DB user credentials for all of the sites.