Nevermind

On an unrelated note - you allow your (company) users to install any unverified browser extension. Be it a simple game, pseudo-useful tool, credentials harvesting ext. or a straight malware. Google store is far from a trustworthy source. If I were you I would block this possibility for all company PCs. Especially knowing there is CN "neighbor" nearby.

It will.

Main page ilsau[.]com.au has this in it: <_script type='text/javascript' src='hxxps://ilsau[.]com.au/wp-content/themes/ils2020/assets/js/app.js?ver=2.1.0' id='il2020-app-js-js'></script> Loaded app.js contains line with 'atob' function that loads another/unwanted JS from a remote server. Thats all we can see from visitor's point of view. Until you (or a specialized company) cleans the server, the detection will always trigger.

Because you do not have control over logic who gets infected content and who not. The attacker has. And often if the (malicious) script finds out you are logged in WordPress as admin, you get to see only the clean version. But there are more tactics like how many times you visited the page, how much time elapsed from your previous visit, if your IP is on some kind of blacklist etc etc.

Well, you can start with telling us what the detected URL is.

Malicious file is gone but its a half- solution since file is still being referenced by all of the web sites on that domain. Lucky for you it is enough to avoid detection.

Skript, který postupně zkouší všechny IP na nějakém subnetu a čeká, která IP se "chytí". Např.

It should be fixed in a next virus base update I was told

You got a reply from an ESET malware engineer and asking here on a public forum if he is right .. do I understand it correctly?

The only reputable AV detecting this is Sophos and even it says its just PUA. You probably cannot see it since you do not have VT account but this file was firstly scanned in 2020 and submitted to VT for over 200 times since then. Stay calm

Look for 'Ly9yZWd0ZWNoLnNicw' in the source code of main page. You will find malicious part.

The file itman mentioned looks clean

There was malware nearly 2 months ago. The server has either been cleaned or malware guys took a break Either way no reason to block it, for now.

There is nothing on that domain except for an empty WordPress project. Yet it has already been hacked How do you do that? Your main domain has been unblocked. For now. If there are more phishy subdomains later on, it will be blocked again.

Hey Markwd, thats a network detection only (ie its neither a file nor memory detection). The way I see it someone tries whether your server is vulnerable to this exploit. If you have logging enabled you can check if there are any requests similar to this: hxxp://<your_server>/cgi-bin/.%2e/%2e%2e/%2e%2e.... (src: https://github.com/thehackersbrain/CVE-2021-41773/blob/main/exploit.py) ESET doesnt check whether you are actually running a vulnerable software or not. It sees an exploit attempt -> it displays a detection window.