Jump to content

JS/Agent.OZD found on my Wordpress installation


Recommended Posts

Hi there, 

I have just seen that my wordpress site is infected by JS/Agent.OZD and I don't know how to find the script or where to look...

https://www.tracteurs-forestiers-noe.fr/

 

Can you Help me ?

Jean

Link to comment
Share on other sites

  • Most Valued Members
14 hours ago, JL67 said:

Hi there, 

I have just seen that my wordpress site is infected by JS/Agent.OZD and I don't know how to find the script or where to look...

https://www.tracteurs-forestiers-noe.fr/

 

Can you Help me ?

Jean

Where ESET triggered the detection , see in the file's code and check for a redirection code for another JS file that you don't recognize , it should be that.

Link to comment
Share on other sites

We have the same problem in many Wordpress website .

Domain : https://zalidairy.ir

Detection

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
2021/10/03 11:51:22 ب.ظ;HTTP filter;file;https://zalidairy.ir/wp-content/plugins/js_composer/assets/js/vendors/woocommerce-add-to-cart.js?ver=6.7.0;JS/Agent.OZD trojan;connection terminated;Event occurred during an attempt to access the web by the application: C:\Program Files\Mozilla Firefox\firefox.exe (9D90FAA8197CACBBC70621FC6DD235043ECC3F43).;885A97E67D7D5911221C513DBB47352D3729A7C0;

 

It seems that is false positive . if not how can we find the malicious js ? 
 

Link to comment
Share on other sites

  • Administrators
4 minutes ago, RedDragon said:

It seems that is false positive . if not how can we find the malicious js ?

The website was compromised. Searching for "/colors/blue/blue.php?id='+token();" will help you locate the malicious javascript.

Link to comment
Share on other sites

1 hour ago, Marcos said:

The website was compromised. Searching for "/colors/blue/blue.php?id='+token();" will help you locate the malicious javascript.

Thank you dear @Marcos . ESET Support is fantastic !!

And would you help us why this website in infected ? can you see the infected part ? 

hxxp://airportseirosafar.com/

 

Link to comment
Share on other sites

  • Administrators
15 minutes ago, RedDragon said:

And would you help us why this website in infected ? can you see the infected part ? 

hxxp://airportseirosafar.com/

Remove the javascript that commences with "(function($,document){for($._Ev=$.BC;"

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...