How to trace which JavaScripts are being loaded (Malware in Wordpress)

-1

I'm having trouble with an infected Wordpress website. At random the page is redirected to some shady advertisement. It's similar to the description here: https://blog.sucuri.net/2016/05/wordpress-redirect-hack-test0-default7.html

I've already wrote a .NET App that cleared over 4000 PHP-Files from malicious code. But the redirect is still there.

Next I tried to analyse the redirect via a Chrome-HTTP-Headers Extension. It seems the redirect is coming from an infected JavaScript. Problem is, I did not yet find the malicious JavaScript-Code and so cannot search for it. There're over 1000 JavaScripts in the Website, most of them are minified.

Question: How can I receive a list of JavaScripts that are loaded at initial HTTP-Get Request?

Answer can be in PHP, JS, Python - Answer can also exceed the question by showing how to find & remove such a malicious infection (Unwanted Redirect) of a Wordpress website, e.g. via help of a free online services, Chrome or Firefox extension or other Software.

Thanks.

EDIT: Of course I tried just a "WGET" of the root URL and looked into the saved file. But I coulN't find anything there, to me it seems the Malware only becomes active in a real browser.

Lee.D

Posted 2018-01-10T12:00:53.763

Reputation: 49

Why is this being downvoted again? Whatever I'm asking here, no matter the question, the amount of information I provide, always somebody is severely unhappy with my question. Why? Cause I ask more complex questions than "What is 1+1"? – Lee.D – 2018-01-10T13:05:42.373

Maybe someone assumed that it is a WP site that you are hosting. In that case the question is not very relevant, because the only solution then is: wipe and install your site software from scratch, and put the data back in from a backup. – Jan Doggen – 2018-01-11T09:35:55.990

Why would that be the only solution? Finding and erasing the Malware could also be the solution, right? – Lee.D – 2018-01-15T16:59:26.823

No it is not. Once compromised, all bets are of. You never know what else has been planted on your system. Read this for a more elaborate answer.

– Jan Doggen – 2018-01-16T19:53:36.643

Answers

0

Found the answer here: https://stackoverflow.com/a/37148993/7679279

In Chrome Developer Tools, go to the Network Tab and use the "Preserve Log" option before loading the malicious site. This will keep the log even after the redirects.

From there try to narrow down to the cause, selectively turn off scripts e.g. by renaming their directory on the Linux Shell or via FTP. Took me 10 minutes to find it like that.

Lee.D

Posted 2018-01-10T12:00:53.763

Reputation: 49

0

It will be loaded by the root URL, but it may come via CSS as well JS. I'd scan all my objects for base64_decode.

Gerard H. Pille

Posted 2018-01-10T12:00:53.763

Reputation: 542

Asked: 2018-01-10T12:00:53.763

Viewed: 85 times

Active: 2018-01-10T13:03:54.597