Yeah this infection is a real pain 🙁
I suspect any or all of the following is the case:
1) There is a backdoor that you are missing somewhere that is allowing access
2) Your site is getting infected from the other sites around it due to shared hosting
3) Your website credentials have been compromised and must be changed (ftp, database, cms, hosting, etc)
What I would suggest is that once your site is clear (or you think it is, at least) make a backup of the clean files so that if it happens again it’s not going to be another marathon clean up job and you can just transfer the clean copy back (to expediate clean-up job you can also use the ‘sed’ command to delete specific strings recursively, but careful with that since using this command incorrectly could break/delete legit content)
Try addressing 1-3 above, start by changing all your passwords once your site is clean again.
As for the backdoors, look for any files that do not belong:
http://blog.sucuri.net/2012/11/website-malware-removal-ftp-tips-tricks.html
I recently cleaned this off of a client’s web server…what a mess. The client had a ton of old unused files and folders from previous versions of their website (prior to using WordPress), so I archived and removed all of those. They also had three active WordPress sites on the server (one in the root directory, two in subdirectories), so I painstakingly went through all remaining files and folders removing the injected PHP from every file named index.php, functions.php, header.php, config.php and wp-config.php.
It is important to note that this script hit EVERY file on the server with those file names, even in unused plugins and themes. There were files in subfolders of wp-includes and wp-admin, as well as in places you wouldn’t expect deep within plugin directories.
I also deleted hidden files called .. that would be generated in the root directory of each WordPress install any time the corrupt PHP was executed (in this case, when the mobile version of the site was loaded).
There were other suspicious files as well, with filenames that were just a random series of letters and numbers, or that contained the phrase googlebot followed by a series of IP addresses.
The behavior of this hack on the iPhone was such that, when the site was loaded in the browser it would start hitting a series of redirects and launch the App Store so you couldn’t close it out right away. Then, when you go back to the browser, it continues until it ends on a porn site.
I suspect this malware was designed to generate tons of web traffic and make someone rich rather than to steal data, but who knows. It didn’t seem to affect the DB, but as a precaution I changed the DB user credentials for all of the sites.
