I am having a serious problem with some Backdoor scripts that were installed in some of our WordPress sites.
I will gladly pay to get rid of this issue and not worry about it any longer. Whoever can help me, I have A LOT of work for you in the future. It could definitely be the start of a long-term, profitable relationship.
I need an expert who has dealt with this before and is very confident that they can fix the problem. I have ClamAV on our dedicated server and the scan does not find the malware.
However, I also have a malware scanner plugin installed on each site and this find some of the files, sometimes.
Here is the issue...there are backdoor files installed, I think mainly/only within wp-content. The files seem to be found in wp-content, uploads and themes. The most common file names are .cache.php and index.php.
I have found that if I delete the entire theme and reinstall, the issues will go away and the site will display fine. HOWEVER, the files will return and the site will show the negative effects again. The files are all inter-connected somehow and after I fix 4-5 sites, one of the sites with the backdoor script will multiply onto all of the other sites again. The .cache.php and index.php files can be found on a 10-15 WordPress sites on the server.
I have tried EVERYTHING. I have created new database users, changed passwords for all, and basically every combination to combat this. It seems that it helps sometimes, like right now I have the problem basically hidden...but one mistake and it will come back.
What I mean by "problem hidden" is that the malware only ruins the theme on some websites. On other websites...everything APPEARS fine, however, the backdoor files are present. I have made the websites that get messed up okay for now, but I need to get all of these bad files off of my server immediately.
Another complication is that the backdoor script seems to alter the header.php file. For a lot of our sites, the themes are customized, so deleting the theme itself and doing a fresh install may fix the malware issue...however, somehow I need to keep the custom work that was done on the themes for the websites. I need to somehow get the negative code removed but not lose all of the work that was done.
I think that if we use a scanner that can actually find these files...it would be easy. Also, if you have dealt with this before and know of a simple solution that I am missing...PLEASE HELP.