wp-includes/nav-menu.php

I took a quick look at the site, and I see the header and navigation menu — you might have been seeing a cached version of the page earlier. After major changes or repairs, you might just need to clear the cache, or temporarily turn off your caching plugin.

Normally repairing the file with Wordfence should fix the issue (since it was a WordPress core file), unless there were other problems as well. If that file was hacked, make sure to update WordPress and all plugins and themes, even if they are not enabled.

Can you confirm that the site is working now?

I got it back working, but I found out that my geader.php keeps getting infected with a javascript code: 1aqapkrv
Which redirects my site to SPAM..
Don’t know how to permanently get rid of it..

The source of the hack is a hacker Shell script by SyRiAn Sh3ll V8. They are using a variant of the original js injected script that was first publicly known around 5-2015.

Google cached Screenshot of the SyRiAn Sh3ll V8 Shell. The site that was hacked in this google cache is no longer hacked anymore/has been cleaned up.
https://webcache.googleusercontent.com/search?q=cache:1AXii2ev2tcJ:stjohnshobart.org/%3Fid%3DscriptsHack+&cd=1&hl=en&ct=clnk&gl=us

Technically the orginal js injection code dates back to early 2013, but a signifcant gen mutation was made around 5-2015 so the birthdate of that gm would be around 5-2015

Actually it looks like this particular js injection script is pretty popular for hackers these days. I see evidence that it is being used in at least 10 different hacker Shell scripts.

thanks for the info! But do you know how to get rid of it?

Yep, it takes some elbow grease, but here you go: https://forum.ait-pro.com/forums/topic/wordpress-hacked-wordpress-hack-cleanup-wordpress-hack-repair/

this is a nightmare. I thought if I will update all my WP’s and all plugins + install wordfence+sucuri security, everything will be fine. Today I checked for any changes in my nav-menu.php files by shell:
find . -name 'nav-menu.php' -size +33k -a -size -40k (original nav-menu.php has about 31k and the modified is arround 36k)
morning: 0 files
now: 25 files :/

i have about 50 WordPress sites on my hosting. I’m worried that if I would install one fresh installation, the worm would spread anyway.

Loosing hope ??

EDIT:
I found this article:
https://securityaffairs.co/wordpress/35431/cyber-crime/revslider-plugin-vulnerable.html
Acutally two sites had something to do with the revolution slider. This might be a clue

@iheartwine – Unfortunately, you have to assume the worst when you have confirmed that at least 1 of your sites has been hacked using a hacker Shell. A hacker Shell is basically like a web host control panel that can control all of your websites under your entire hosting account. Just reinstalling/updating things is not going to fix this. See the link I posted above for more info. You need to take all your sites offline, make backups of everything, delete everything, reinstall new sites, restore your DB content: Posts and Pages. Yes, unfortunately it will be a time consuming task.