Thanks James,

I’ve done pretty much most of that already. None of these folders seem to appear anymore, only index.php and htaccess.

One domain I have purged the entire website, it has nothing but an index.html file, yet still getting hacked, so am I right to think that means it can’t be wordpress that was hacked?

Yes, I have installed Wordfence and Anti-Malware Security and Brute-Force Firewall by Eli Scheetz. Both scans say the sites are clean after I replace index.php and htaccess with the original files. Also scanned with securi site check, it says all clean, but a few hours later, index.php and htaccess get overwritten.

The htaccess file doesn’t contain any bad code, but index.php does.

I even went to the extreme of copying my entire root folder into one of my sites and called it aa, then ran scans on that site and it came up clean.

Ok, so new host it is then. Thanks for your help. Much appreciated 🙂

Thanks Logan,
I hope I didn’t sound like I had any problem about Sitelock, of course I don’t at all. It was really just the casual way my host provider said to me “So it’ll be $299 for each website, I can bill it to the card you have on file, would you like me to do that for you now?”

I’m gonna move to a new host for now, because I have a feeling this was not an attack on wordpress. If there is a bot in my root folder, surely all my sites should be vulnerable, but only those 2 are being attacked.

I have since found bunch of tables in one of the databases with wdsrj_ prefix. No idea what they are, or how they got there, so I dropped them. So far, no attack for a few hours.

Thank you all so much for your help and advice here.

Ah yes, but these tables were actually in addition to WP tables, all those with wp_ prefix are there aswell.
These wdsrj_ tables looked like they were for some other script, they had a completely different structure to the WP tables. There were a lot of them, like 2 websites running off the same database. After dropping them, the website continues to work as it should.
Over 4 hours now since the last hack, it normally happens after about an hour or so.

Fingers crossed, hopefully the culprit was in there somewhere. I guess I’ll know for sure by morning.

I don’t know if its linux to be honest. Its a shared server with Cpanel.
I tried a search there in file manager, but I think that only searches for file names, not strings inside files.
I have a backup of the db before I dropped those tables. I’ll open it up local and see if I find anything in there.

There was a folder of files as listed in the OP, but after removing them, they never returned. They were dumped in the site root folders.

Just a quick update. I may have found the culprit, or rather AVG found it after a scan on my laptop. It found 2 files in one of my WP backups in themes/bbtheme/classes:
dm2.php and radio.php
I did a search on my server and that site has an outdated beaver builder theme and these 2 files were present in that location. They shouldn’t be there. Updated the theme and now they’re gone.
Also, my admin password for that site had been changed, so I changed it in phpmyadmin, updated everything and ran a scan. It’s all clean now.

I guess I’ll just wait & see now..