Jump to content

JS/Agent.OCJ


Recommended Posts

We are receiving what appears to be a false notice of the js/Agent.OCJ virus.  The website we are trying to access is the CRM website that accepts all leads that come in from our website.  The CRM then notifies us of a new lead.  This website we are accessing is managed by an outside company and is used by 125 offices around North America.  Apparently we are the only office having this issue.   This is occurring with 1 desktop, 1 laptop and 1 surface table.  All using Windows 10.   The only commonality is all devices are using ESET virus software.  I can access the CRM on my Apple devices.  I have researched online and what I read is the problem is the website.  If so, then why are our 3 devices the only ones getting a popup not allowing us to access the CRM?

Link to comment
Share on other sites

  • Administrators

It's very unlikely to be false positive. The reason why only ESET detects it is that we have smart script detections and the script scanner itself. It often happens that people think that a detection on their website must be a false positive cause nobody else is detecting it but then we prove otherwise.

You can provide logs collected with ESET Log Collector, however, be sure to select also quarantined files to be collected.

Link to comment
Share on other sites

23 minutes ago, kennyb said:

This URL can't be directly accessed since it requires a logon.

Also, alairhomes.com website cannot be fully externally scanned due to:

Quote

The scanner crawlers are blocked by the web application firewall on this domain/website. The scan result could be incomplete.

https://quttera.com/detailed_report/alairhomes.com

As such, Quttera classifies the web site as suspicious.

Link to comment
Share on other sites

Ok.  Not sure what all the means.  If there are 125 other offices not having this problem, I am not sure what to do.  We need to access this website to follow up on leads.  Is there a way to make the CRM site a safe site?

Link to comment
Share on other sites

29 minutes ago, kennyb said:

Ok.  Not sure what all the means.  If there are 125 other offices not having this problem, I am not sure what to do.  We need to access this website to follow up on leads.  Is there a way to make the CRM site a safe site?

Sucuri detected malware on the website: https://sitecheck.sucuri.net/results/https/crm.alairhomes.com/dashboard and there are multiple instances of it; all JavaScript plug-in based. You will need to inform the website provider about this.

Link to comment
Share on other sites

  • Administrators
1 hour ago, kennyb said:

The URL is https://crm.alairhomes.com/dashboard    

Log file is attached

I did not want to unblock unless I am sure the issue is a false positive.  Which Marco said it probably is not

Searching for "/assets/css/pages/pages.php" should help an administrator locate the malicious javascript.

Quote

If there are 125 other offices not having this problem, I am not sure what to do. 

Couldn't it be that they are not using ESET? If the javascript malware is not detected on the machines there's a good chance it's executed.

Link to comment
Share on other sites

15 minutes ago, Marcos said:

Searching for "/assets/css/pages/pages.php" should help an administrator locate the malicious javascript.

Couldn't it be that they are not using ESET? If the javascript malware is not detected on the machines there's a good chance it's executed.

What is interesting in this case is Eset didn't detect anything initially and allowed the redirect to the logon web page to proceed w/o any detection's. Makes me wonder if Eset would have detected after web site logon.

Link to comment
Share on other sites

Based on this scan: https://sitecheck.sucuri.net/results/https/crm.alairhomes.com/login , the malware is resident on this web page and Eset is not detecting it.

-EDIT- My guess here is this web site provider is using a web site firewall and it is blocking Eset's scanning of the web site.

Edited by itman
Link to comment
Share on other sites

  • Administrators
22 minutes ago, itman said:

Based on this scan: https://sitecheck.sucuri.net/results/https/crm.alairhomes.com/login , the malware is resident on this web page and Eset is not detecting it.

-EDIT- My guess here is this web site provider is using a web site firewall and it is blocking Eset's scanning of the web site.

image.png

Link to comment
Share on other sites

Okay.  I do not have access to the website developer.  It is a Canadian based company that goes through marketing department within our home office  And according to them, the website is safe.  I am at a loss why only ESET would discover this and no other virus software will.  It does make me feel safer but basically we are stuck.

 

If you can provide me a condensed version of what was discussed here, I will forward to our marketing department and maybe they will forward on to the website developer.

Link to comment
Share on other sites

2 hours ago, Marcos said:

image.png

I don't know what you did to trigger a detection, but it doesn't trigger in Firefox:

Eset_Detection.thumb.png.772dfc30cc33b1e010a73ab7285df950.png

Mouse clicking on either Microsoft or Google sign-on options shown, displays their respective logon web pages.

Also those malicious plug-ins exist in this web page code:

Eset_Plug-ins.thumb.png.ae6351e2ee195a53c3b484aa7e089523.png

Edited by itman
Link to comment
Share on other sites

1 hour ago, kennyb said:

 

If you can provide me a condensed version of what was discussed here, I will forward to our marketing department and maybe they will forward on to the website developer.

State the web site is infected and forward them this link: https://forum.eset.com/topic/29478-jsagentocj/?do=findComment&comment=138385

Link to comment
Share on other sites

Guys thanks for your help so far.  I did forward your information and it was passed on to the website developer.  They did ask a question.  

We recently updated our SSL cert to the newer standard. Is it possible that it's not recognized by their antivirus software?

Is it possible to loop them into this thread or you into the email thread?

Link to comment
Share on other sites

9 minutes ago, kennyb said:

We recently updated our SSL cert to the newer standard. Is it possible that it's not recognized by their antivirus software?

It's not an exclusive Eset detection issue.

Sucuri is also detecting the web site contains malware. Forward this link to them: https://sitecheck.sucuri.net/results/https/crm.alairhomes.com/dashboard . As such, I can't see a change in SSL cert. being the cause.

Link to comment
Share on other sites

This is the response I just received from the developer.

Thanks for the feedback. I ran some malware checks on our server as well and they flagged one of our background jobs as potentially being problematic based on how often we're running it. To be clear, it is not a virus or anything to be concerned about. It's just that some systems don't like how often we're making requests as it can be an indicator of spam or bot attacks. I'll ask development to take a look and see if there are any implications of adjusting so it's not setting off alarms. 

We are really in a jam here.  I need to get into the CRM to enter a new project so I can get a contract signed.  I am stuck if I can't get in.  Is there anyway to work around this issue so it doesn't lock the site?  Please help.  I trust the developer.  They handle our entire company of 120+ offices and the home office.  It is becoming apparent we are the only ones using ESET.  Which to date, I have been very happy with.  I really don't want to change but if we can't function, we may have to.

For the time being, I am disabling my virus projection to at least get this project entered

Link to comment
Share on other sites

  • Administrators

Without disabling AV web protection and allowing the malware to run you can't avoid it. It's sad that the developers are adamant and don't contact ESET or don't even check this forum as an evidence that their site was compromised and is serving malware.

Link to comment
Share on other sites

  • Administrators

You could provide the developers with the following proof that the website is infected:

image.png

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...