Cleaning an elusive malware in wordpress site
Don't know why it should be only Wordpress sites. But I've removed multiple malware attacks in 3 - 4 client websites in the last 3 years, and All of them used Wordpress. Most importantly, (I think this is the main reason) all of them runs in web servers that allow Automatic Updating of plugins without FTP.
Not just Wordpress
It took more than a week to figure out how it works. Finally detected the pattern of appearance.
- it appears only once - actually the first visit to the site in a day.
- it appears on any page, not just the home page - if we visit a specific page as the first visit of the day, it's there!
- and, it appears even in plain simple html page, not just wordpress.
Finally, a good look at .htaccess
That finding only left the possibility in .htaccess file. A good look in .htaccess revealed a necessary code. It also showed the location of actual culprit file. This particular site have an elaborate use of .htaccess, more than 100 lines of code in it, so it was not visible when we made a cursory glance on the first time.
Details on how to clean it up is available at Sucuri.net. http://blog.sucuri.net/2010/12/malware-update-publifacil-org-htaccess-changes-and-pe-php.html. The file invariably starts in PE. In our instance, it was PEcutup.php (it was not mentioned in the site, but be prepared to find new names if you come face similar situation!)