Jump to content

Recommended Posts

Hi, my ESET discovers scrinject.b trojan in the file hxxp://descartes.if.uj.edu.pl/descartes-pl-r.html,  could you
possibly check why ?

Thanks

Share this post


Link to post
Share on other sites

The detection is correct. You use StatCounter for analytical purposes, however, their website was hacked and instead of a legitimate analytical script counter.js it now servers JS/CoinMiner.BS.

You should temporarily remove the code related to StatCounter until they fix the breach and replace the script with a clean one.

Share this post


Link to post
Share on other sites

I have just spoken to Statcounter, and they are blatantly denying all knowledge of this hack. Every website I own, which is a lot, that has the Statcounter code on is showing the error on the attached image:

 

statcounter-issue.png

Share this post


Link to post
Share on other sites

Hi I am Rory with the Statcounter team.  We are investigating this issue right now. 

I have installed the eset security program and visited sites with Statcounter where people say we are injecting bad scripts.  I see no warnings or errors from the Eset program.  I have also used Google Safebrowsing tool to scan these sites and it reports no problems.  I have tried other sites which scan for malware and they also report no problems.

I have a special test page which only loads Statcounter.  On this page Eset also gives no error or warning and when I check the network traffic there is nothing being loaded except Statcounter.

If Statcounter was hacked and inserting bad scripts I should see it on my end also since I have Eset installed.  But this is not the case.  So this clue tells us perhaps something else is going on.

Kind regards,
Rory
Statcounter Team

Share this post


Link to post
Share on other sites

Another reply from Statcounter on this situation:

 

Hi and thanks for your patience. I have installed Eset and visited your site and others where people say this problem happens. Eset gives me no warning or popup of any kind. Here is a screen shot showing me at your site with Eset open and all security features enabled:

(removed but it was an image of my website, and did not show any virus, etc)

I have also tested your site using the Google Safe Browsing tool and it reports no problems with your site or Statcounter. I have also tested your site in 2 other tools which do security checks and they report nothing. If you wish to double check my results here are the tools I used:

https://app.webinspector.com/

https://sitecheck.sucuri.net/results/https/www.(removed)

https://transparencyreport.google.com/safe-browsing/search?url=https:%2F%2F(removed)%2F

We will continue to investigate this and try to figure out why Eset was showing this warning. All things considered if there was a problem I should see the same Eset warning and the marlware checking sites should have reported something. However this is not the case.

Thanks for your patience!

 

Share this post


Link to post
Share on other sites

I've provided Rory with more details that should help them locate the malicious code.

Share this post


Link to post
Share on other sites

OK great. I have always found Statcounter to be very good over the years, so hopefully they can solve this, and that it helps them for the future also.

Share this post


Link to post
Share on other sites

PS: I think they may have solved this now, and the pop up is not showing anymore.?

 

I spoke too soon, seems it is fixed on websites with Statcounter wordpress plugins, but not for websites that are using direct Statcounter html code!

 

Update: It now seems this has been fixed. A little strange though that a business the size of Statcounter, with millions of users,  were not aware of the situation, but hopefully that has now completely eradicated the problem.

 

Thank you to Eset, who I have used for years, and always been pleased with their product and service, and thank you to Statcounter for being open to investigation when situations like this arise. .

 

 

 

 

Edited by Steven-UK

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×