JL67 0 Posted September 29, 2021 Share Posted September 29, 2021 Hi there, I have just seen that my wordpress site is infected by JS/Agent.OZD and I don't know how to find the script or where to look... https://www.tracteurs-forestiers-noe.fr/ Can you Help me ? Jean Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted September 30, 2021 Administrators Share Posted September 30, 2021 The website is under maintenance, therefore we can't reproduce the detection. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 202 Posted September 30, 2021 Most Valued Members Share Posted September 30, 2021 14 hours ago, JL67 said: Hi there, I have just seen that my wordpress site is infected by JS/Agent.OZD and I don't know how to find the script or where to look... https://www.tracteurs-forestiers-noe.fr/ Can you Help me ? Jean Where ESET triggered the detection , see in the file's code and check for a redirection code for another JS file that you don't recognize , it should be that. Link to comment Share on other sites More sharing options...
RedDragon 0 Posted October 3, 2021 Share Posted October 3, 2021 We have the same problem in many Wordpress website . Domain : https://zalidairy.ir Detection : Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here 2021/10/03 11:51:22 ب.ظ;HTTP filter;file;https://zalidairy.ir/wp-content/plugins/js_composer/assets/js/vendors/woocommerce-add-to-cart.js?ver=6.7.0;JS/Agent.OZD trojan;connection terminated;Event occurred during an attempt to access the web by the application: C:\Program Files\Mozilla Firefox\firefox.exe (9D90FAA8197CACBBC70621FC6DD235043ECC3F43).;885A97E67D7D5911221C513DBB47352D3729A7C0; It seems that is false positive . if not how can we find the malicious js ? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted October 3, 2021 Administrators Share Posted October 3, 2021 4 minutes ago, RedDragon said: It seems that is false positive . if not how can we find the malicious js ? The website was compromised. Searching for "/colors/blue/blue.php?id='+token();" will help you locate the malicious javascript. Link to comment Share on other sites More sharing options...
RedDragon 0 Posted October 3, 2021 Share Posted October 3, 2021 1 hour ago, Marcos said: The website was compromised. Searching for "/colors/blue/blue.php?id='+token();" will help you locate the malicious javascript. Thank you dear @Marcos . ESET Support is fantastic !! And would you help us why this website in infected ? can you see the infected part ? hxxp://airportseirosafar.com/ Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted October 3, 2021 Administrators Share Posted October 3, 2021 15 minutes ago, RedDragon said: And would you help us why this website in infected ? can you see the infected part ? hxxp://airportseirosafar.com/ Remove the javascript that commences with "(function($,document){for($._Ev=$.BC;" Link to comment Share on other sites More sharing options...
Recommended Posts