Threat: HTML/ScrInject.B trojan

abolfazl · July 3, 2021

Hi
Over the past few days, a large number of site users have reported to us that some of the site's pages will not open and will be blocked by NOD32 antivirus.

The site is completely secure and there is no problem and they see the following:

HTML/ScrInject.B trojan

Blocked address (example):

https://king2net.com/11746/clash-royale-hack/

How can I fix this problem?

itman · July 3, 2021

Eset's detection is correct.

Per a Quttera scan of the domain:

Threat dump code shows:

Threat_Dump.png.844a570dba6a48f102001267fcc32143.png

Additional details here: https://quttera.com/detailed_report/king2net.com

Edited July 3, 2021 by itman

abolfazl · July 4, 2021

Hello
Thank you for your guidance
I have now deleted the file
Will the site problem be solved?

itman · July 4, 2021

1 hour ago, abolfazl said:

Hello
Thank you for your guidance
I have now deleted the file
Will the site problem be solved?

It currently scanned clean by Quttera: https://quttera.com/detailed_report/king2net.com

Refer to FAQ section on the Eset forum home page on "submission of false positive" request. I would include the above Quttera scan link in the request to Eset for re-classification of your domain.

abolfazl · August 1, 2021

On 7/5/2021 at 4:01 AM, itman said:

It currently scanned clean by Quttera: https://quttera.com/detailed_report/king2net.com

Refer to FAQ section on the Eset forum home page on "submission of false positive" request. I would include the above Quttera scan link in the request to Eset for re-classification of your domain.

Thank you for your guidance But I still could not message eset support! Because I did not find the part you mentioned in the forum Please provide a direct link to the report

Nightowl · August 1, 2021

58 minutes ago, abolfazl said:

Thank you for your guidance But I still could not message eset support! Because I did not find the part you mentioned in the forum Please provide a direct link to the report

Here you need to send an email/form as instructed here : https://support.eset.com/en/kb141-submit-a-virus-website-or-potential-false-positive-sample-to-the-eset-lab

itman · August 1, 2021

3 hours ago, abolfazl said:

Because I did not find the part you mentioned in the forum Please provide a direct link to the report

I don't know how you could miss this reference. It's listed on the forum home web page. See below screen shot:

itman · August 1, 2021

Also refer to this Sucuri analysis: https://sitecheck.sucuri.net/results/https/king2net.com/11746/clash-royale-hack/ . This site is currently blacklisted by McAfee. Interestingly, it states that Eset indicates the site is clean. However, Eset is still detecting malware on the web site and blocking access to it:

Eset_malware.png.e5051dd7a546a489568b639d1c745c92.png

My best guess here is the malicious web site script injection is only being triggered via direct browser access to the site.

Eset's current detection is correct since the site still contains malware per this recent VirusTotal scan:

Edited August 1, 2021 by itman

itman · August 2, 2021

I will also add that this domain is blacklisted by Quttera: https://quttera.com/detailed_report/king2net.com which is as severe a malware classification as it gets.

Edited August 2, 2021 by itman

Habib Hosseini · October 13, 2021

Dear admin ,

There was a link to an infected site on my site and I deleted it .

My site is clean now . ( attachment ) I also sent an email to the ESET

After 10 days, I still can not enter my site . Please advise what to do?

Site: irtci.com

Marcos · October 13, 2021

Quote

There was a link to an infected site on my site and I deleted it .

My site is clean now

The website was compromised. Please remove all references to joyshoul.com.

Habib Hosseini · October 13, 2021

I find it in my first page and remove it , now Site is Ok

How can I find out if this link is not on other pages of the site?

Marcos · October 13, 2021

You should have access to all files on your site so you can search them all for a reference to the malicious domain.

Habib Hosseini · October 13, 2021

Really Thanks .

I seem to have to search all 1500 pages . I wish there was software that would find the pages where this link was added .

Google can also help Site:irtci.com ( link )

Anyway, thank you for your help

Nightowl · October 13, 2021

1 hour ago, Habib Hosseini said:

Really Thanks .

I seem to have to search all 1500 pages . I wish there was software that would find the pages where this link was added .

Google can also help Site:irtci.com ( link )

Anyway, thank you for your help

Download the source files for your website , let ESET scan it , it should pinpoint which files are having it, can make your search easier.

Habib Hosseini · October 13, 2021

not work ,

in ASP website links add in SQL Data Base ,

peteyt · October 13, 2021

10 hours ago, Habib Hosseini said:

not work ,

in ASP website links add in SQL Data Base ,

Not sure if this will help https://www.quora.com/How-can-I-find-a-piece-of-code-in-all-of-my-websites-files

Sign In

Threat: HTML/ScrInject.B trojan

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Recently Browsing 0 members

Quick search

FAQ

Topics