I wasn't sure where to post this but I didn't see any info when I googled it and I think it's really important to get the word out.
I just found a file called wp-content/plugins/helo/helo.php
on a number of my sites.
The file is designed to look like the "Hello Dolly" plugin but it contains all kinds of malicious code designed to compromise my system, rewrite my php.ini file and inject its own content onto my site.
Everything I know is here:
I'll update it as I continue to investigate.
Anyone have any advice on the best way to clean this? If they have my php.ini then they likely have my db password which sucks big time.
A:) How do I clean this?
B:) How do I make sure it doesn't happen again?