All the WordPress sites I have hosted on the same box are generating an extra body tag when viewed in-browser. Viewing source shows that it should only have the one body tag but then when I actually view the page it has two.
It appears to be happening on almost all the sites I currently have hosted, and one of the few sites it wasn’t happening to that was fine this morning, has also changed to have the same issue. I’ve tried viewing it in multiple browsers and the same issue is seen. Also occurs regardless of whether I’m logged into admin or not. Happens on both the main site as well as the admin backend.
What I’m currently seeing:
<script src="/google_analytics_auto.js"></script></head>
<body class=" customize-support"><body>
<div id="wrapper" style="opacity: 1;">
<div id="header">
What I see when viewing-source:
<script src='/google_analytics_auto.js'></script></head>
<body>
<div id="wrapper">
<div id="header">
If you Inspect Element on http://michaeldebevec.com/ and then view-source you will be able to see this happening. If you view http://michaeldebevec.com/wp-admin/ you can see the change of layout this is causing compared to what the default WordPress login looks like.
So it’s caused by some sort of code injection that has happened to the files. The solution was to download locally all the files off the server and run a search looking for the following string that was found at the end of the injection:
I found it had infected all my header, config, index and functions files. After locating all the infected files you go through and erase the injected code and re-save. Upload the new files back to the server and as far as I’m aware that solves it.