My issue turned out to be a whole stack of false PNG files in the Upload area that contained @eval statements. When I cleaned out wp-tmp.php and functions.php from my template the @eval statements were allowing script injection. If you can’t get your website clean using this plugin then delete all of the file types from the filter so that it can see into PNG, JPG, etc files. I haven’t found the initial entry point yet but I’m assuming it was a plugin.
GOTMLS identified wp-tmp as a problem containing an ad injection script and offered a fix. However, it did not identify one of the underlying issues that kept rewriting wp-tmp.php which was in the template functions.php; I’ve included the code at the end of this entry.
I removed that from functions.php but it seems as though there is other code somewhere that I have yet to locate that is rewriting that functions.php code.
If anyone has run across this before I’d love to hear from you.
-
This topic was modified 6 years, 11 months ago by
Anti-Malware Admin. Reason: Malicious code removed