I’m not familiar with Snort rule syntax, but how are going to match “add_action”, “wp-head” and “check_wp_head_load”? They never appear in server response. Moreover, they can’t be found in files on server either since this code is encrypted.
Hi, thanks for the informative post! I have followed all of your instructions on this page (Used WinMerge to compare clean copies vs what’s on the server and replaced those files/folders, changed all passwords, changed database password, updated/replaced themes/plugins), but still seem to be falling short somewhere. When I clear the cookies in my browser and pull up my website there is a blank space at the bottom of my site. When viewing the source code this is at the bottom:
The code can be in a database (you might want to import it to .sql or .xml file and scan it all for suspicious code). You should also pay attention to new files (the ones that don’t exist in canonical copies) and compare everything again (there could be a reinfection).
Please post updates if you find the source of that code.
Update: I checked your site and see the following: Cached page generated by WP-Super-Cache on 2012-08-17 21:10:50 – which is about three days ago.
UPDATE: This “rem2.html” malware seems to be set up server-side, as it has moved to all of my websites that I have not “cleaned”. I am successfully able to clean them (per your instructions above), but am looking into a server-side anti-malware scanner. Any suggestions?