I have found in one of my Wordpress websites source code hidden php code. This is what I am looking for. I see it in the view source view, but I cannot find it in the wordpress theme files. Where could it be located?
<div style="position: absolute; top: -1236px; overflow: auto; width:1241px;"><span>Designed by </span> <h3><a href="http://bestdownfree.com/">best down free</a> | <a href="http://webphunuso.com/">web phu nu so</a> | <a href="http://webphunuso.com/category/lam-dep/kieu-toc-dep/">toc dep 2017</a></h3></div><p class="demo_store"><b>FREE GIFT WITH ANY INK OR TONER CARTRIDGE PURCHASE! HAPPY PRINTING FROM SOS INK</b></p> <script type="text/javascript">
These ads usually added by some PHP Code by a Hacked/Illegal Plugin or Theme.
In this case an useful way to find it, is to scan your project for 'base64_decode(' string, because these ads commonly come from a decoded string to be unfindable by searcing for it's content.
Your project will likely contain something like this:
$html ="PGRpdiBzdHlsZT0icG9zaXRpb246IGFic29sdXRlOyB0b3A6IC0xMjM2cHg7IG92ZXJmbG93OiBhdXRvOyB3aWR0aDoxMjQxcHg7Ij48c3Bhbj5EZXNpZ25lZCBieSA8L3NwYW4+IDxoMz48YSBocmVmPSJodHRwOi8vYmVzdGRvd25mcmVlLmNvbS8iPmJlc3QgZG93biBmcmVlPC9hPiB8IDxhIGhyZWY9Imh0dHA6Ly93ZWJwaHVudXNvLmNvbS8iPndlYiBwaHUgbnUgc288L2E+IHwgPGEgaHJlZj0iaHR0cDovL3dlYnBodW51c28uY29tL2NhdGVnb3J5L2xhbS1kZXAva2lldS10b2MtZGVwLyI+dG9jIGRlcCAyMDE3PC9hPjwvaDM+PC9kaXY+PHAgY2xhc3M9ImRlbW9fc3RvcmUiPjxiPkZSRUUgR0lGVCBXSVRIIEFOWSBJTksgT1IgVE9ORVIgQ0FSVFJJREdFIFBVUkNIQVNFISBIQVBQWSBQUklOVElORyBGUk9NIFNPUyBJTks8L2I+PC9wPg==";
echo base64_decode($html);
After you found these malicious lines, you can remove them. But don't forget, base64_decode doesn't do anything wrong by itself, so dont remove all these functions. If you put the content of the string to an online Base64 Decoder, you can check it's real content, and remove it if it's something bad.
Other info: By Switcing of Plugins / Themes you can also find out which one does it (check when it's gone), and after that you don't need to scan your whole project, just these plugins/themes files.
There are many other ways to do this inject, so it's not a guaranteed method. Look update for finding other types of malware.
Update:
The following program can come very handy at finding infected files, it can have some false positive results too (says malware to a normal file), but at least it founds the malwares.
Link: PHP MALWARE SCANNER