js/agent OKP found on this website

[NotMembers 0]

Hi.

one of the company's computers blocked this site with the message :  js/agent OKP.

We scan the website with every tools, every online scanner and we cannot found any trace of virus.

Does it could be a false positif ?

Does someone could scan the site too :

Thanks

Best Regards

Edited December 29, 2020 by Marcos
URL removed

[Marcos 4,714]

The website was compromised and contains an obfuscated malicious javascript:

The javascript creates an admin user:

[NotMembers 0]

Oh my god ..
How do u success to found that ??

All script used to scan, detect dont found anything ..

How do you translate the eval String.fr0mCharC0de into code ?

Thanks

[NotMembers 0]

I success to translate fr0mCharC0de.
Thanks

As it seems to be a backdoor, could u delete the name of the site please ?
( in my post and in your screenshoot )

I check the source , it's a legitimate wordpress script that is infected !!!!


I can give detail in pm if needed .
Dont know how u works

Edited December 28, 2020 by NotMembers

[itman 1,542]

FYI: https://www.shift8web.ca/2018/01/craft-xss-payload-create-admin-user-in-wordpress-user/

[Marcos 4,714]

9 hours ago, NotMembers said:

I check the source , it's a legitimate wordpress script that is infected !!!!
I can give detail in pm if needed .

You can drop me a personal message with the wordpress script attached. I assume you mean one with a definition of the fr0mcharc0de method, don't you?

[NotMembers 0]

I give you link and detail in PM.