Yes, another message about a site being hacked. Before anyone copies and pastes the standard hacking articles, I have already attended to them, read the fine WordPress Hack FAQ, installed security plugins, sacrificed chickens to the Dark One, and the rest of it.
My query here is simple: it looks like a hack of one of my sites, which redirects mobile users to a porn site, might involve the trojan "PHP.Trojan.WebShell-7", at least according to the Wordfence scan. Has anyone else suffered this hack and/or can point me towards specific information on it? In particular, how the trojan works, and what files it creates and compromises.
I am aware that I may need to rebuild the site but that would take some days which I don't have, so if I can identify compromised files then I can try to eradicate them, and if that fails I can check my latest full site backup (thanks, BackWPUp :)) for malware then restore the site from that. I don't want to have to kill then reanimate the patient for a simple infection.
I have scanned the 5 threads generated by a forum search for "PHP.Trojan.WebShell-7" and they look to have some useful advice, but as far as I can see no information specific to this Trojan. They are quite long so I've not read every single word, though I will do. Neither is Googling it much help. Pointers to information (not general articles, ta very much) would be appreciated, and I'll happily share them with friends and colleagues running WP sites. I've already advised them to install Wordfence as a precaution, which to my shame I should have done myself - I did try Bulletproof on localhost but that messes around mightily with .htacess files which made me very nervous indeed, so I gave it a miss.