I host a number of sites on a shared server at Media Temple. Recently I noticed that a lot of suspicious PHP files had been added as well as some PHP files disguised as favicon.ico files. I removed all the ones I could find, but the following day many had returned. Media Temple emailed me saying that the sites I’m hosting are infected and they suspended my account until the site had been cleaned.
I used unphp.net to decode some of the files but despite searching online for reports of similar compromises I was unable to find anything.
I changed all the passwords for the WordPress sites I host, deleted all unused themes and plugins, but problems continued.
I installed Sucuri Scanner WordPress plugin which was a great help in discovering changed / infected files.
I also added a custom malware code scanner php file (link), which was invaluable. However, the infected files kept returning. After some more research I added the following custom PHP.ini to the Global php.ini and finally the attacks stopped.
disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_multi_exec,parse_ini_file,show_source allow_url_fopen Off allow_url_include Off session.use_trans_sid = off