Jump to content

JS/Agent.OZD


Recommended Posts

Hey @Marcos, thanks for the feedback, I found the injected code, I'm cleaning right now. Hope this fix the alerts. Thank you.

Link to comment
Share on other sites

  • 4 weeks later...

Hello,
My friend gets this message

“ A threat found This website contains potentially dangerous content.  Threat: JS / Agent.OZD Trojan. Access was denied.  Computer is safe.“

when she visits https://theyogimatt.com which I don’t get in my pc.

If you can help me scanning it to double check.. would be great.

 

Link to comment
Share on other sites

  • Administrators

The website was compromised and contains JS/Agent.OZD trojan as reported by ESET.

Link to comment
Share on other sites

51 minutes ago, Marcos said:

The website was compromised and contains JS/Agent.OZD trojan as reported by ESET.

Hello Marcos,

I contacted the website owner and he said they scanned the website multiple times and couldn’t found any appearance of the malware.. Could you please help “they should look for what”?

 

+I will give them this link to read and check and benefit from it..

 

Thanks in advance Marcos. 

Link to comment
Share on other sites

  • Administrators
51 minutes ago, Ashwaq said:

Could you please help “they should look for what”?

The admin should search for "/blue/blue.php?id='+token();" to locate the malicious JS.

Link to comment
Share on other sites

1 minute ago, Marcos said:

The admin should search for "/blue/blue.php?id='+token();" to locate the malicious JS.

Thanks a lot.

Link to comment
Share on other sites

Hello Marcos,

The website owner said they took actions and removed the files.

 

would you please check again if it’s solved 🥺!

Thanks in advance for your support

Link to comment
Share on other sites

21 minutes ago, Ashwaq said:

would you please check again if it’s solved

I  can connect to the web site w/o any Eset alerts. The site's home web page did take a while to load however in FireFox.

Link to comment
Share on other sites

8 minutes ago, itman said:

I  can connect to the web site w/o any Eset alerts. The site's home web page did take a while to load however in FireFox.

Thanks Itman 🤩🤩 Great news👏🏼👏🏼

Link to comment
Share on other sites

  • 3 weeks later...

MARCOS, can you have a look at https://www.seekops.com  JS/Agent.OZD trojan reported by ESET.

Brand new website - suspect infected .js files.  Web developer is adamant that nothing is wrong.

Need to provide a second opinion.

Link to comment
Share on other sites

  • Administrators
8 hours ago, Capstone Works - CAA said:

Brand new website - suspect infected .js files.  Web developer is adamant that nothing is wrong.

Need to provide a second opinion.

Searching for "/wp-admin/css/colors/blue/blue.php" should help them locate the malicious javascript injected in js files.

Link to comment
Share on other sites

14 hours ago, Capstone Works - CAA said:

Brand new website - suspect infected .js files.  Web developer is adamant that nothing is wrong.

I just scanned the web site at the Quttera web scanner site and it shows as clean.

Edited by itman
Link to comment
Share on other sites

10 hours ago, Marcos said:

/wp-admin/css/colors/blue/blue.php

As far as the above is concerned, note the following:

Quote
Hello I launched the wordfence security plugin and I just realized that a file: wp-admin / css / colors / blue / php.in was very risky.

Detail: This file is in a WordPress core location but is not distributed with this version of WordPress. This scan often includes files left over from a previous WordPress version, but it may also find files added by another plugin, files added by your host, or malicious files added by an attacker. 192 more similar files were found.

https://forum.muffingroup.com/betheme/discussion/56230/wp-admin-css-colors-blue-php-in

Also refer to this: https://fixhackedwebsite.com/wordpress-hacked-redirect-how-to-clean-website-redirect-malware/

This web site is heavily infected. Below are some and I am sure not all malware detection's by Eset:

hxxps://seekops.com/wp-content/plugins/assets/lib/vc_carousel/js/transition.min.js?ver=6.5.0
hxxps://seekops.com/wp-content/plugins/assets/js/dist/js_composer_front.min.js?ver=6.5.0
hxxps://seekops.com/wp- content/plugins/revslider/public/assets/js/extensions/revolution.extension.slideanims.min.js?version=5.4.8;
hxxps://seekops.com/wp-content/plugins/revslider/public/assets/js/extensions/revolution.extension.layeranimation.min.js?version=5.4.8
hxxps://seekops.com/wp-content/plugins/revslider/public/assets/js/extensions/revolution.extension.actions.min.js?version=5.4.8
hxxps://seekops.com/wp-content/plugins/revslider/public/assets/js/extensions/revolution.extension.navigation.min.js?version=5.4.8;
hxxps://seekops.com/wp-content/plugins/assets/js/dist/js_composer_front.min.js?ver=6.5.0
hxxps://seekops.com/wp-content/plugins/interactive-world-maps/includes/js/shortcode.js?ver=2.4.9
hxxps://seekops.com/wp-content/plugins/interactive-world-maps/includes/js/responsive.js?ver=2.4.9

Edited by itman
Link to comment
Share on other sites

  • 2 weeks later...

@Marcos our website was flagged with JS/Agent.OZD, can you please help us to identify infected files www.extremetech.com

Link to comment
Share on other sites

  • Administrators
9 minutes ago, Wcc said:

@Marcos our website was flagged with JS/Agent.OZD, can you please help us to identify infected files www.extremetech.com

Searching for "/wp-content/themes/twentyten/index.php?id='+token();" should help you locate the malicious javascript.

Link to comment
Share on other sites

  • Administrators
33 minutes ago, Nabeelmeer said:

JS/Agent.OZD trojan on my website for eset my website is www.fabtech.co.za please can you assist

Searching for "if(ndsj===undefined)" should help you locate and remove the offending javascript.

Link to comment
Share on other sites

  • Administrators
1 hour ago, Vyshnav MT said:

Can you help me please i have same issue in my website travcount.com/agent

Unfortunately I can't help by providing the exact js code to search for since the website requires authorization and the malware is not injected on the login page.

Basically what you can do:
1, Reproduce the detection
2, Check the Detections log for urls containing the malicious javascript.
3, On the web server check those js files for a suspicious javascript (typically located towards the end of js files).
4, Look up the suspicious javascript in other files on the website and remove all occurrences of it.

Link to comment
Share on other sites

  • Administrators
25 minutes ago, Vyshnav MT said:

i can give you demo login could you please check it ??

Yes, you can send it to me in a private message.

Link to comment
Share on other sites

  • 3 weeks later...
  • Administrators
1 hour ago, Diptendu said:

dev.aunwesha.com is showing this error.

Please help me find the infected files.

Searching for "/colors/blue/blue.php?id='+token();" should help you locate the malicious javascript.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...