fullbrainfilms

I have the same issue described by @paulhanaki. I have 66 WordPress sites and 3 of them were altered on December 1, 2014. (I teach an intro to WP class and every student has 3 sites they work with each, which is why I have so many.)

I assumed this code was introduced by a security breach in either a plugin or through the MOJO Marketplace install which I just noticed leaves files in the site root.

All of the sites have a common username (admin), but they each have different and unusual passwords from each other.

All of these sites have only the following plugins in common:
Akismet
Contact Form 7
Duplicator
Google Analytics (Yoast)
NextGEN Gallery
W3 Total Cache
WooCommerce
WordPress SEO (Yoast)

They were all installed from a Duplicator backup of the original MOJO Marketplace installation of one of the sites (and that original site has not been hacked at this point). I do not have nor use the MOJO marketplace plugin, however, there is the issue of those MOJO files sitting on site root.

And similarly, the harmful code in functions.php creates a link to a different real site that appears in the header of the student sites. Oddly, the code creates a different link for each one of the infected sites and those links link to an existing site that previously had malware on it, but has since been cleaned.

Although I remove these sites at the end of the month, completely deleting their databases and all related files from my server, I’m concerned that students who made backup of these sites may be exposed to a hacking later if they restore them on their own servers.

If I run across any other useful information, I’ll pass it along here.