Another website got hacked and the owner noticed weird chinese characters in search results for his website.
The index.php file contained the following code:
Initially, the point of entry for this malicious code was a plugin named Three Column Screen Layout that has a vulnerability which as many other WordPress users report is being actively exploited in the wild.
The POST request that injected this code was uploaded via an AWS IP.
The Three Column Screen Layout WordPress plugin was installed several times under random names:
After cleaning up the website we requested a review from Google via search console to remove the Dangerous site ahead warning.