Recent Hack

I work for a charity and look after our website built on Drupal 7. I missed the recent March alert and didn’t update in time, and about 3 weeks ago we were hacked.  Some (not all) users get redirected to a malware site.

Sadly our daily backups are only stored for a week (I didn’t realise the host only stored a week) so I didn’t have a clean backup to go back to. Lesson to myself is download them to my PC on a regular basis. 

I went through the site and removed multiple index.php files and another other file that I did not recongise and thought I had cleaned it all up and updated, but what happen is they must have a backdoor because each night the index.php files are put back.  I now have a clean backup which I restore each morning and the website is fine until midnight’ish when the backdoor is used.

I can’t find the backdoor. I have done a fresh install of Drupal (7.5.9) and all module files, I have used a very old theme backup which should be clean but they still get back in.  I am the only user on the website, the passwords for that account, database, FTP and even server have all been changed. 

So I can only assume the backdoor is in the database? Is that likely to be the case or could it still be a file I am missing?     If the database, I know how to use phpmyadmin and run SQL commands, but I am not technical enough to know how to find a recent database change or where the issue may be.  Does anybody have any advice to clean up the existing site?

We were already building a new website and rewriting all text as it goes on a new server, so we can wipe everything and start again but that is still 2/3 weeks down the line. So I just need to do what I can to keep our existing site up for another couple of weeks.  

Any helpful suggestions would be very much welcomed.  Thank you.

Drupal version: