Strange code added in all php files

Question

Please help me.

all of my WordPress sites has been added some strange code in all php files(core, theme, plugin..) I've spent a lot of time to delete it, but it keep coming back. I did not install anything insecure but I'm not sure because I'm working with a lot of people so really don't know what have happened?

The strange code looks

  "<?php $eqrqdvc = '.2`hA  x27pd%6<C   x27pd%6|6.7eu{66~67<&o! x24-    x24y7   x24-    x24*<!  x24-    x24gps)%j>1<%j=tj{fpg)% x24-    xssbz)#44ec:649#-!#:618d5f9#-!#f6c68    x24-    x24-tusqpt)%z-#:#*  ......"

all of my sites on the same server are in this trouble at the same time, do you think the cause maybe on sever or can possibly in one site?

Answer 1

It seems like virus, to remove this code from wordpress files could you:

• Update Wordpress core;
• If your Wp is already updated, run a new rewrite update;
• Update theme before saving css and edited parts;
• Be sure to set correctly chmod permission: take a look there https://codex.wordpress.org/Changing_File_Permissions

Answer 2

You have been hacked.

Although you are cleaning all these files, you have a security hole that can be exploited again and again.

The best thing you can do is to backup your database delete everything and then perform a clean install, with up-to-date plugins.

Of course you will need to change all passwords and monitor the site.

If you want to dig into the origin of the infection, I suggest to start looking into your log files. Paying special attention to the POST requests. If you have enough history you will probably find something interesting.