My WordPress site was hacked with site redirect malware. I have completely wiped WordPress and the database from the site and installed a fresh copy of WordPress. Several different scans report that the site is clean.
Before I started to restore my content, I poked around to make sure it was clean. All was well until I accessed the site from a browser that blocks cookies. When I clicked anywhere on the site, I got a redirect to a baidu spam link.
I then checked out the site code, and I found out why:
This code checks for a specific cookie. If it is not there, it sets up a click event listener that opens a new window with a baidu spam link.
I've gone through every single file that I have access to on my server. There is no code that matches. I also checked for blocks of base64 encoded stuff and as near as I can tell, there is also no block of hashed code that could render into. With a completely clean install, this tells me that the hack may have infected a script or an install on my Linux host that I'm not able to see.