Security firm Sucuri reports that obfuscated code had been injected into the configuration files of infected sites, working as a backdoor and allowing the attacker to redirect visitors to other sites in an effort to defraud Google Adsense. The root cause of the infection is still unknown.
“These backdoors download additional shells and a Leaf PHP mailer script from a remote domain… and place them in files with random names in wp-includes, wp-admin and wp-content directories,”. The malware appears to suspend the redirections when it detects an administrator is logged in.