Thanks Esmi
Did the usual security things. But still no result.
So I am planning to backup everything and re-installing the WordPress again. If there is any other suggestions, let me know.
Thanks
Change your theme and deactivate all plugins.
This is due to an outdated version of timthumb.php on your server. You should update this file to the latest version, or use a theme that does not include the file.
I have been troubleshooting several sites that have been hit with this attack. I notice 2 major hacks going around over the past few days. Once you have updated your theme and removed timthumb (or updated it), here is some info on how to help clean up your site.
If you have already been hit, then the first thing you should do is open wp-config.php and look for any suspicious code. Generally, you should delete everything after:
require_once(ABSPATH . ‘wp-settings.php’);
Check for suspicious whitespace as well. In one of the attacks, hundreds of lines of white space is been added to try and mask the malicious code.
Next open index.php and delete everything between:
require(‘./wp-blog-header.php’);
…
?>
After that I would re-install WordPress from within the WordPress Dashboard via the Updates tab to clean up the infected .js files. When you have done that I would probably run Clam-AV if you have it installed, as well as http://sitecheck.sucuri.net/scanner/. Clam will help pick up any suspicious code that has been obfuscated in base64.
Finally, be sure to change your MySQL passwords and wp-admin passwords just in case. It’s also worth mentioning that the timthumb vulnerability affects inactive themes as well. This script is very popular throughout the theme community. I would delete all of your inactive themes just to make sure you don’t have any timthumb.php files laying around.
