I was hoping someone can help me with more info. I have several subdomain websites on my hosting account. As of 2 months ago, when I go to one of my website domains, my Norton Anti-Virus instantly sends me a message telling me that it blocked a "Web Attack: Malicious Toolkit Website 9".. the attacking computer name is usually different, but the alert has been the same.
I was looking at my PHP websites (including wordpress sites) and noticed several PHP files were changed on the same date/time (on a day I never accessed my account). The changed file names on all of my PHP sites were the same (such as "index.php" and that file name could be multiple folders). When I reviewed the files, it appears that a new line of code was injected at the very end of the PHP file (such as after the "/html" tag). I added the code from one file down below.
I changed all my passwords and deleted the line of injected code from all the changed php files last week. About 2 days ago, the code has appeared again at the end of the same PHP files.
Does anyone know how this is happening? Is there anything I can do to prevent code from being injected? I looked at the FTP log for this month, and the only IP's that show up belong to me. I'm not sure how multiple sites on my account seem to have this code injected all at the same time, all in the same file names.
Any help would be appreciated since I am not an expert with this. My message is too long, so I will post the long line of code under this message.