My Websites hosted on different servers being hacked again and again with same base64 malware codes. When I decoded the base64 code I got the link to mbrowserstats.com/statH/stat.php.
Please note: My websites with core php and also wordpress are being hacked. They are placing base64 malware codes in following files - index.php, main.php, footer.php, template files of wordpress (index.php, main.php, footer.php), index.php files in wp-admin, plugins, themes folders etc.
I have already tried below things but all websites are being hacked again and again.
Changed all ftp passwords
Changed ftp client fileZilla to winSCP
Removed all malware codes and re-upload all files to server
Uploaded old backup files without malware codes
Disabled magic_quotes_gpc, register_globals, also exec & shell_exec functions
Used index files to prevent direct folder access
Used mysql_real_escape_string function to sanitize data for insert queries in php websites
Updated WordPress and also all Plugins to latest version
Installed malwarebytes anti-malware and scanned my computer for malwares (Full Scan)
Confirmed that my websites are not using timthumb.php file
Changed file permissions (755 for folders & 644 for files). Now only image upload folders have 777 permission.
When I checked the websites' visitor details I found some IPs like 150.70.172.111 / 150.70.172.202, Hostname:150-70-172-111.trendmicro.com, Country - Japan. They accessed websites in close times to the time that of modified files (malware injected files).
Additional Information: I'm using Trend Micro antivirus from last 1 year. I'm wondering that the IPs with hostname 'trendmicro.com' have any relation with hacking or in stealing my ftp passwords.
I suspect that they are using ftp access to insert malware codes. Also the time between file modifications is very low. They have updated all files within seconds. So I think they are using a program for that. Manually they cannot edit all files within seconds as I have so many files in different folders of same website.
Please help me to resolve this issue. I have tried many things but it happens again. Thanks