Teaserguide virus in header.php not found

Why didn’t iThemes Security find that virus?

As of release 5.0.1 the iTSec plugin Malware Scanning feature performs a Sucuri SiteCheck scan. So your question should be “Why didn’t Sucuri SiteCheck find that virus?”. I guess that question can only be answered by Sucuri.
Do note the iTSec plugin Malware Scanning feature includes the following info:

Although the Sucuri team does its best to provide the best results, 100% accuracy is not realistic and is not guaranteed.

It seems the Wordfence security plugin was also having difficulties detecting the Teaserguide infection. You may be interested in reading this topic in their forum (if you haven’t already done so).

The iTSec plugin File Change Detection feature must have reported file changes related to the infection.

It seems the Teaserguide infection makes several file changes which should normally be detected by the File Change Detection feature.
Please check the iTSec plugin Logs page. Select “File Change History” from the “Select Filter:” drowpdown listbox.

Below a short list of the Teaserguide infection file changes I gathered from various sources on the internet:

Type: Changed File: Theme(s) header.php
Type: Changed File: WP root .htaccess
Type: Added File: openx-adm.php

This list is most probably not complete. To make the list as complete as possible please report any additional suspicious files in this topic.

It seems at this stage it is unknown how this infection is spreading.
Found some reports that indicate setting the correct WP file\folder permissions helps protect against infection.

dwinden

Does iThemesSecurity have the ability to scan files at the root level? I have this same problem and found “payload” files in my public_html root and edits made to my Jetpack SQL file that removed the ‘protect’ value in its table. I think it’s a cPanel vulnerability.