Recently all our wordpress sites have being injected with js code in wp-content and wp-includes , to fix the issue you have to download all js files in these directories and search for the code in the end of the js files its a variable with hex like code
var _0x80d0=["\x64\x67\x6C\x6C\x68\x67\x75\x6B","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x6C\x6F\x63\x61\x74\x69\x6F...................
replace it and you are done , also change these old passwords just in case ;)
P.S This is temporary and doesn't clean the infection , after a while it gets infected again
working on it
P.S Update
so far another infected file most probably to be part of the problem is wp-config edited with around 1500 empty lines with added REQUEST [3ioi23hri34ri34jrf34jibf] whatever and with 444 permissions , make sure you erase the code after wp-settings.php; that you haven't edited yourself and fix the permissions
Also just downloaded and scaned localy one of my websites the infected js files are in these dirs.
- wp-admin/js
- plugins
- themes
- wp-includes/js
Update
Couple of hours after fixing the wp-config file and all js files so far the websites remain clean although Google safe browsing still shows the red screen
http://sucuri.net/ check shows that finally all of our websites are clean and save.
Hopefully it will stay that way. Apparently this fix works :
first fixing wp-config -> permissions and additional code after wp-settings.
second removing the
(variable name could be different ) var _0x80d0=
"\x64\x67\x6C\x6C\x68\x67\x75\x6B","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x6C\x6F\x63\x61\x74\x69\x6F...................
in my case around 200 to 300 files per website have being modified.
!for every website the code in the js files was with different variable name.