Pardon if I don’t refer to the correct terminologies related to website security but I’m relatively new at looking for more complex problems with malware on WP installations. I’ve been able to clean sites in the past where the problem/malicious code was obvious but this is a case where I need some assistance beyond reading a ton of posts all over the place.
The closest I could find to the problem I’m experiencing on ALL the sites I host under a single CPanel is what was posted on this forum back in April related to the BaDoink Redirect. It’s affected the proper function of the WP admin section (menus don’t expand for example) and other CSS related problems, etc. It’s eerily similar but in my case there are “.backup_time” files with base64 code in all root directories as well as other directories. I use iTheme Security aka wp-better-security which has a backup function but I’m not using it. Here’s the contents of “.backup_time”:
ukzxU9YtgCqu92sFEcoxiS3woGd31A0U/P5F/pQ2W1f5TrRa+YuzjVsm2WUhcXZVGculXHa3B
......
4givCIV/1Xfxvj5Q
6gu5EYFgyXfyvjVTQw==
7ASvDodhyXT2oSlRR5E=
.....
4g2vDYNoyXL2vjVW
6g65EYJo3mvzoDNOQp18
6gS5EYFl12vyoilXRw==
6gS0EYdpyXD3vjFZ
4wSvDoppyXT0oSlTRQ==
.....
I’ve searched (via shell) for all sorts of terms that could potentially point to malicious code only to find nothing. I’ve opened countless index.php, functions.php, header.php, etc. files and there’s nothing abnormal about them, whether in the root or in themes. I found another post on stackoverflow that looks like it could be related: http://stackoverflow.com/questions/22647441/what-does-this-malicious-php-code-found-in-a-wordpress-install-do
Sucuri.net says: Known javascript malware. Details: http://labs.sucuri.net/db/malware/spam-seo-suspicious15?v13
<body><script>top.location.replace("http://www.*******.com/4eda2b0bf******4406888.php?s=http://*****.com/mr/?id=SRV0102");</script>
I also found this which is likely what I’m experiencing: http://blog.sucuri.net/2014/07/website-malware-mobile-redirect-to-badoink-porn-app.html
But I don’t find this anywhere. It must be injected by a rogue script but where to start… Would the script duplicate itself in every install or use one install as a command center?
Can anyone shed any light on what I could do to rid me of this nightmare? There are a couple of my sites that literally disappear when a particular template is used because of the corrupted back-end.
Any help would be greatly appreciated.