I am in a bit of an annoying situation. I inherited responsibilities of a WordPress multisite once managed from from other contractors and that site has been infected with virus dropping malware.
I am however, in a black box. The site is hosted by yet another contractor and I can't get access to their server.
They did give me a DB dump, a copy of the entire WordPress install, and a copy of the quarantined virus and scanned it myself. When I scanned it, avast and AVG found 3 BackDoor.shell with the object names of "revslider\love.php" "revslider\arhy.php" and "revslider\xxx.php"
The thing is tho, the revslider plugin is not installed. I searched the entire WordPress install for "revslider" "revolution slider" and "revolution" and didn't find anything anywhere (I was looking in the themes too).
Why would avast and AVG both tell me that revslider has something to do with it if its not installed?
What else can I look for?
Notes - I should note that that this site is in a VM on a shared host.
Also - I have read through http://codex.wordpress.org/FAQ_My_site_was_hacked and have searched for the usual suspects:
- “eval(base64_decode(…..”
- “edoced_46esab…”
- “getMama…”
- “115,99,114,105,112,116….”
- “document.write(‘
but didn't find much. I found something the this premium plugin xyz-popup but when I downloaded a fresh copy it was there too. (I am getting rid of that plugin anyway)
I am also rebuilding the server with fresh copies of plugins and themes while I investigate this.