After spending 11 hours yesterday I managed to come right.
Thank you t-p for all the help.
I did the following:
- Located the files that it referenced in the index.php and removed them.
- Removed the wp-admin’s and wp-include’s folder. Replaced these folders with the ones from a WordPress download of the same version.
- Replaced all the files in the parent folder except the wp-config file.
- Went through the wp-config file and removed malicious code.
- Manually went through the wp-content’s folder which has a total of 22506 folders in it that I had to go through. My eyes were not happy about this one :). However I found more code that wasn’t meant to be there and they were strings in reverse. They did reference a wpsdth4_license_key in the options table in the database.
- I went through the database to remove the wpsdth4_license key from the database and went through the complete wp_post’s and wp_options table to remove anything that was suspicious.
- There was also hidden files containing malicious code in the servers home tmp folder this is before the public_html folder
- Deleted all WordPress cache manually.
- Changed the Database password and did the same changes in the wp-config file.
- Changed the ftp passwords
- Changed the user passwords.
- Changed all the Authentication unique keys and salts
- Then I made sure no suspicious cronjobs
This was an extremely tedious and took a lot of strain on the eyes as it took a total of 11 hours to complete due to the amount of data I had to go through. However all seems to be secure and sorted now.
Thanks again
