Jairo 0 Posted July 5, 2021 Share Posted July 5, 2021 Hey @Marcos, thanks for the feedback, I found the injected code, I'm cleaning right now. Hope this fix the alerts. Thank you. Link to comment Share on other sites More sharing options...
Ashwaq 0 Posted July 28, 2021 Share Posted July 28, 2021 Hello, My friend gets this message “ A threat found This website contains potentially dangerous content. Threat: JS / Agent.OZD Trojan. Access was denied. Computer is safe.“ when she visits https://theyogimatt.com which I don’t get in my pc. If you can help me scanning it to double check.. would be great. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted July 28, 2021 Administrators Share Posted July 28, 2021 The website was compromised and contains JS/Agent.OZD trojan as reported by ESET. Link to comment Share on other sites More sharing options...
Ashwaq 0 Posted July 28, 2021 Share Posted July 28, 2021 51 minutes ago, Marcos said: The website was compromised and contains JS/Agent.OZD trojan as reported by ESET. Hello Marcos, I contacted the website owner and he said they scanned the website multiple times and couldn’t found any appearance of the malware.. Could you please help “they should look for what”? +I will give them this link to read and check and benefit from it.. Thanks in advance Marcos. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted July 28, 2021 Administrators Share Posted July 28, 2021 51 minutes ago, Ashwaq said: Could you please help “they should look for what”? The admin should search for "/blue/blue.php?id='+token();" to locate the malicious JS. Link to comment Share on other sites More sharing options...
Ashwaq 0 Posted July 28, 2021 Share Posted July 28, 2021 1 minute ago, Marcos said: The admin should search for "/blue/blue.php?id='+token();" to locate the malicious JS. Thanks a lot. Link to comment Share on other sites More sharing options...
Ashwaq 0 Posted July 28, 2021 Share Posted July 28, 2021 Hello Marcos, The website owner said they took actions and removed the files. would you please check again if it’s solved 🥺! Thanks in advance for your support ✨ Link to comment Share on other sites More sharing options...
itman 1,659 Posted July 28, 2021 Share Posted July 28, 2021 21 minutes ago, Ashwaq said: would you please check again if it’s solved I can connect to the web site w/o any Eset alerts. The site's home web page did take a while to load however in FireFox. Link to comment Share on other sites More sharing options...
Ashwaq 0 Posted July 28, 2021 Share Posted July 28, 2021 8 minutes ago, itman said: I can connect to the web site w/o any Eset alerts. The site's home web page did take a while to load however in FireFox. Thanks Itman 🤩🤩 Great news👏🏼👏🏼 Link to comment Share on other sites More sharing options...
Capstone Works - CAA 0 Posted August 13, 2021 Share Posted August 13, 2021 MARCOS, can you have a look at https://www.seekops.com JS/Agent.OZD trojan reported by ESET. Brand new website - suspect infected .js files. Web developer is adamant that nothing is wrong. Need to provide a second opinion. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted August 14, 2021 Administrators Share Posted August 14, 2021 8 hours ago, Capstone Works - CAA said: Brand new website - suspect infected .js files. Web developer is adamant that nothing is wrong. Need to provide a second opinion. Searching for "/wp-admin/css/colors/blue/blue.php" should help them locate the malicious javascript injected in js files. Link to comment Share on other sites More sharing options...
itman 1,659 Posted August 14, 2021 Share Posted August 14, 2021 (edited) 14 hours ago, Capstone Works - CAA said: Brand new website - suspect infected .js files. Web developer is adamant that nothing is wrong. I just scanned the web site at the Quttera web scanner site and it shows as clean. Edited August 14, 2021 by itman Link to comment Share on other sites More sharing options...
ESET Insiders NewbyUser 73 Posted August 14, 2021 ESET Insiders Share Posted August 14, 2021 Still infected. Link to comment Share on other sites More sharing options...
itman 1,659 Posted August 14, 2021 Share Posted August 14, 2021 (edited) 10 hours ago, Marcos said: /wp-admin/css/colors/blue/blue.php As far as the above is concerned, note the following: Quote Hello I launched the wordfence security plugin and I just realized that a file: wp-admin / css / colors / blue / php.in was very risky. Detail: This file is in a WordPress core location but is not distributed with this version of WordPress. This scan often includes files left over from a previous WordPress version, but it may also find files added by another plugin, files added by your host, or malicious files added by an attacker. 192 more similar files were found. https://forum.muffingroup.com/betheme/discussion/56230/wp-admin-css-colors-blue-php-in Also refer to this: https://fixhackedwebsite.com/wordpress-hacked-redirect-how-to-clean-website-redirect-malware/ This web site is heavily infected. Below are some and I am sure not all malware detection's by Eset: hxxps://seekops.com/wp-content/plugins/assets/lib/vc_carousel/js/transition.min.js?ver=6.5.0 hxxps://seekops.com/wp-content/plugins/assets/js/dist/js_composer_front.min.js?ver=6.5.0 hxxps://seekops.com/wp- content/plugins/revslider/public/assets/js/extensions/revolution.extension.slideanims.min.js?version=5.4.8; hxxps://seekops.com/wp-content/plugins/revslider/public/assets/js/extensions/revolution.extension.layeranimation.min.js?version=5.4.8 hxxps://seekops.com/wp-content/plugins/revslider/public/assets/js/extensions/revolution.extension.actions.min.js?version=5.4.8 hxxps://seekops.com/wp-content/plugins/revslider/public/assets/js/extensions/revolution.extension.navigation.min.js?version=5.4.8; hxxps://seekops.com/wp-content/plugins/assets/js/dist/js_composer_front.min.js?ver=6.5.0 hxxps://seekops.com/wp-content/plugins/interactive-world-maps/includes/js/shortcode.js?ver=2.4.9 hxxps://seekops.com/wp-content/plugins/interactive-world-maps/includes/js/responsive.js?ver=2.4.9 Edited August 14, 2021 by itman Link to comment Share on other sites More sharing options...
Wcc 0 Posted August 23, 2021 Share Posted August 23, 2021 @Marcos our website was flagged with JS/Agent.OZD, can you please help us to identify infected files www.extremetech.com Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted August 23, 2021 Administrators Share Posted August 23, 2021 9 minutes ago, Wcc said: @Marcos our website was flagged with JS/Agent.OZD, can you please help us to identify infected files www.extremetech.com Searching for "/wp-content/themes/twentyten/index.php?id='+token();" should help you locate the malicious javascript. Link to comment Share on other sites More sharing options...
Nabeelmeer 0 Posted August 31, 2021 Share Posted August 31, 2021 JS/Agent.OZD trojan on my website for eset my website is www.fabtech.co.za please can you assist Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted August 31, 2021 Administrators Share Posted August 31, 2021 33 minutes ago, Nabeelmeer said: JS/Agent.OZD trojan on my website for eset my website is www.fabtech.co.za please can you assist Searching for "if(ndsj===undefined)" should help you locate and remove the offending javascript. Link to comment Share on other sites More sharing options...
Vyshnav MT 0 Posted September 8, 2021 Share Posted September 8, 2021 Can you help me please i have same issue in my website travcount.com/agent Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted September 8, 2021 Administrators Share Posted September 8, 2021 1 hour ago, Vyshnav MT said: Can you help me please i have same issue in my website travcount.com/agent Unfortunately I can't help by providing the exact js code to search for since the website requires authorization and the malware is not injected on the login page. Basically what you can do: 1, Reproduce the detection 2, Check the Detections log for urls containing the malicious javascript. 3, On the web server check those js files for a suspicious javascript (typically located towards the end of js files). 4, Look up the suspicious javascript in other files on the website and remove all occurrences of it. Link to comment Share on other sites More sharing options...
Vyshnav MT 0 Posted September 8, 2021 Share Posted September 8, 2021 i can give you demo login could you please check it ?? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted September 8, 2021 Administrators Share Posted September 8, 2021 25 minutes ago, Vyshnav MT said: i can give you demo login could you please check it ?? Yes, you can send it to me in a private message. Link to comment Share on other sites More sharing options...
Diptendu 0 Posted September 26, 2021 Share Posted September 26, 2021 Hello, dev.aunwesha.com is showing this error. Please help me find the infected files. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted September 26, 2021 Administrators Share Posted September 26, 2021 1 hour ago, Diptendu said: dev.aunwesha.com is showing this error. Please help me find the infected files. Searching for "/colors/blue/blue.php?id='+token();" should help you locate the malicious javascript. Link to comment Share on other sites More sharing options...
Sarah Whiteman 0 Posted November 5, 2021 Share Posted November 5, 2021 Hi there We're expereincing alerts with our eset firewall detecting foreign content JS/Agent.OZD url: https://umdm.gov.za Please help Link to comment Share on other sites More sharing options...
Recommended Posts