I changed, salt keys, scanned with GOTMLS. It found 8 results with ‘eval’ strings but not suspicious. I compared those results with original files from the WordPress.org repository and original theme zip file, it was looking just fine.
It’s really interesting.
Yesterday when I opened this thread it was 1.66k injected URLs, now it’s 1.67k. And really I can’t find a way to fix the issue.
Well, I think so. But, because I don’t know what I’m looking for, It’s like trying to achieve the impossible.
Searching for a single obfuscated base64 line is simple, but I couldn’t detect them manually, either Wordfence. But some help forums also talking about that there might be very short and innocent strings, which pulls information from other sites, so scanners can not detect them. And to be able to detect them manually, you need to know PHP coding, or at least you need to be familiar with some functions, which I’m not. I can’t distinguish if a PHP function is a malware or the original code of the site.
