mpower 1 Posted May 26, 2020 Share Posted May 26, 2020 In Chrome and Opera (not in Firefox) the JS/Spy.Agent.AH malware is being found be Eset. The malware was found in https://example.com/checkout/onepage/, so it does not say in which file. How do I know where the malware is hidden? Any advice? This is how it looks like in the logs: Thanks! Link to comment Share on other sites More sharing options...
Administrators Marcos 4,301 Posted May 26, 2020 Administrators Share Posted May 26, 2020 It should be exactly that page. However, I'm getting 404 "page not found" when trying to download it. Link to comment Share on other sites More sharing options...
mpower 1 Posted May 26, 2020 Author Share Posted May 26, 2020 Yeah, Its not the real domain, I changed it :-). Is the malware in a JS file or could it also be PHP? Link to comment Share on other sites More sharing options...
mpower 1 Posted May 26, 2020 Author Share Posted May 26, 2020 @Marcos: Sent you a private message 🙂 Link to comment Share on other sites More sharing options...
Administrators Marcos 4,301 Posted May 26, 2020 Administrators Share Posted May 26, 2020 The website is really infected. In this case, the malicious JS is detected by several AVs, not only by ESET: Link to comment Share on other sites More sharing options...
mpower 1 Posted May 26, 2020 Author Share Posted May 26, 2020 Alright, can you give me a hint how to get the infected files? Thanks! Link to comment Share on other sites More sharing options...
itman 1,406 Posted May 26, 2020 Share Posted May 26, 2020 52 minutes ago, mpower said: Alright, can you give me a hint how to get the infected files? Why in the world would you want to do this? Link to comment Share on other sites More sharing options...
Administrators Marcos 4,301 Posted May 26, 2020 Administrators Share Posted May 26, 2020 Are you an administrator of the website? Link to comment Share on other sites More sharing options...
mpower 1 Posted May 26, 2020 Author Share Posted May 26, 2020 (edited) Yes, I am the sites admin (should have mentioned that 😀) and I want to replace the infected files with the none infected version. If I knew the paths to the files(s) it would be no problem ... Edited May 27, 2020 by mpower Link to comment Share on other sites More sharing options...
mpower 1 Posted May 27, 2020 Author Share Posted May 27, 2020 I took a code backup and deleted the old code which made it work again. Thanks for your answers guys Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 158 Posted May 27, 2020 Most Valued Members Share Posted May 27, 2020 57 minutes ago, mpower said: I took a code backup and deleted the old code which made it work again. Thanks for your answers guys There should be JS reference in your code that is linking to another script from another place where your detection has triggered , or it's hosted in your website which means they can access and upload files to the server You should secure the server more , so you can make sure that they cannot inject a JS again. Link to comment Share on other sites More sharing options...
mpower 1 Posted May 27, 2020 Author Share Posted May 27, 2020 Yeah, I told my customer to change FTP/SSH and database passwords already ... Thanks! Nightowl 1 Link to comment Share on other sites More sharing options...
Recommended Posts