How to find an alleged malicious script in WordPress site

Dbast
Dbast used Ask the Experts™
on
A visitor to my Web site at https://giving.heartland.org/ says "Kaspersky advised me it had blocked a malicious URL, and I thought I'd check your source to see if it was your site. Turns out it was, at the very bottom of your source code you have some malicious code executing an iframe to a malicious site via JavaScript."

A quick virus scan of the page online suggested he might be right. How in the world do I go into the WordPress code to find this and get rid of it?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Don't talk to me.
Commented:
Interestingly, Sucuri disagrees and I can see the encrypted javascript in the source code.

http://sitecheck.sucuri.net/results/https://giving.heartland.org/

which is weird because it is usually pretty good about finding this stuff.  

First of all, if you are caching the pages via a plugin, disable it and delete the cache.  Then:

1) You need to go through your theme and plugin files and search instances where the <script> tag is being called and then see what's in it.  Look for blocks of encrypted code.

2) Do the same thing for all content entries in the wp-posts table of your database

If those steps turn up nothing, then you need to start worrying about a compromised web server where a script is running and injecting the code into the pages as they are being served.  It's also possible that if you were serving up a cached version of the site that the cache files were attacked and modified via a server compromise.

Author

Commented:
This is EXACTLY what I was hoping for, thank you very much for great response and fast!
Jason C. LevineDon't talk to me.

Commented:
You're welcome :)

Another fast thing to check is to look at the file modification dates on the themes and plugins.  If the attack happened recently, one of the files will stand out with a recent modification date and that should be a pretty good indicator...

Author

Commented:
That's a very good point, thanks again.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial