How to trace which JavaScripts are being loaded (Malware in Wordpress)

Question

I'm having trouble with an infected Wordpress website. At random the page is redirected to some shady advertisement. It's similar to the description here: https://blog.sucuri.net/2016/05/wordpress-redirect-hack-test0-default7.html

I've already wrote a .NET App that cleared over 4000 PHP-Files from malicious code. But the redirect is still there.

Next I tried to analyse the redirect via a Chrome-HTTP-Headers Extension. It seems the redirect is coming from an infected JavaScript. Problem is, I did not yet find the malicious JavaScript-Code and so cannot search for it. There're over 1000 JavaScripts in the Website, most of them are minified.

Question: How can I receive a list of JavaScripts that are loaded at initial HTTP-Get Request?

Answer can be in PHP, JS, Python - Answer can also exceed the question by showing how to find & remove such a malicious infection (Unwanted Redirect) of a Wordpress website, e.g. via help of a free online services, Chrome or Firefox extension or other Software.

Thanks.

EDIT: Of course I tried just a "WGET" of the root URL and looked into the saved file. But I coulN't find anything there, to me it seems the Malware only becomes active in a real browser.

Answer 1

Found the answer here: https://stackoverflow.com/a/37148993/7679279

In Chrome Developer Tools, go to the Network Tab and use the "Preserve Log" option before loading the malicious site. This will keep the log even after the redirects.

From there try to narrow down to the cause, selectively turn off scripts e.g. by renaming their directory on the Linux Shell or via FTP. Took me 10 minutes to find it like that.

Answer 2

It will be loaded by the root URL, but it may come via CSS as well JS. I'd scan all my objects for base64_decode.