sorry if I write this in the wrong section.
This is my first post and I'm only writing it, because I spend 6 hours trying to find how the hell a site was hacked. Finally I found what is wrong and I want to share it.
I couldn't find any similar case anywhere (can't say I tried very hard)
Problem was that in the footer of every front end page, there was short script and invisible link to onlineroulette-reviews.com
code
[hacked code removed - please do not post that here]
I tried disabling plugins, searching for some of the strings in wordpress files but to no results.
Couldn't find anything in the database also.
I notice that removing wp_footer() from footer.php fixes the problem, but that wasn't good enough because there were some needed functions there.
One of the functions was "check_wp_load", which was very strange and I was unable to find what added it. Trying to remove it also didn't work.
Long story short, after several nerving hours, I found the problem.
Someone added in the beginning of query.php these lines
[hacked code removed - please do not post that here]
I don't have logs to find the hacker, neither I know when that happened. Don't have the time to investigate. I just hope that if someone else have this problem, will find this post and save himself some time.
sorry for bad English :)