I am struggling with this stuff for months now. I am using wordpress multisite version and is running with around 80 blogs. Around 3 months back, we had a pharma hack and man files had the base64_decode code snippets as a first line.
I had removed all those code snippets.
I found the backdoor entry and removed that file.
Upgraded the server to new version 3.4.2 and upgraded all my plugin.
Moved my blogs to new server and changed permission to the folders.
Changed the password.
Checked through "Fetch through Google" to see if webpage is showing any pharmacy keywords. Ntohing is there.
Only thing I moved from the old server was the database data. I had exported all the data and moved to the new MySQL Database.
Now when I run the grep command for base64_decode, I am not able to find hack code.
Now only my root url looks infected. All other pages are looking good.
In my access log, I get the following URL getting accessed by search bots.
I looked all files, changed the wordpress root files, updated plugins. But still the root url looks infected. Even I had changed the themes of my root blog and still the issue exist.
I am confused, Fed up and frustrated with this.
Kindly help me in solving this crazy bug. Sorry for being so long.