JL67 0 Posted September 29, 2021 Posted September 29, 2021 Hi there, I have just seen that my wordpress site is infected by JS/Agent.OZD and I don't know how to find the script or where to look... https://www.tracteurs-forestiers-noe.fr/ Can you Help me ? Jean
Administrators Marcos 5,450 Posted September 30, 2021 Administrators Posted September 30, 2021 The website is under maintenance, therefore we can't reproduce the detection.
Most Valued Members Nightowl 206 Posted September 30, 2021 Most Valued Members Posted September 30, 2021 14 hours ago, JL67 said: Hi there, I have just seen that my wordpress site is infected by JS/Agent.OZD and I don't know how to find the script or where to look... https://www.tracteurs-forestiers-noe.fr/ Can you Help me ? Jean Where ESET triggered the detection , see in the file's code and check for a redirection code for another JS file that you don't recognize , it should be that.
RedDragon 0 Posted October 3, 2021 Posted October 3, 2021 We have the same problem in many Wordpress website . Domain : https://zalidairy.ir Detection : Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here 2021/10/03 11:51:22 ب.ظ;HTTP filter;file;https://zalidairy.ir/wp-content/plugins/js_composer/assets/js/vendors/woocommerce-add-to-cart.js?ver=6.7.0;JS/Agent.OZD trojan;connection terminated;Event occurred during an attempt to access the web by the application: C:\Program Files\Mozilla Firefox\firefox.exe (9D90FAA8197CACBBC70621FC6DD235043ECC3F43).;885A97E67D7D5911221C513DBB47352D3729A7C0; It seems that is false positive . if not how can we find the malicious js ?
Administrators Marcos 5,450 Posted October 3, 2021 Administrators Posted October 3, 2021 4 minutes ago, RedDragon said: It seems that is false positive . if not how can we find the malicious js ? The website was compromised. Searching for "/colors/blue/blue.php?id='+token();" will help you locate the malicious javascript.
RedDragon 0 Posted October 3, 2021 Posted October 3, 2021 1 hour ago, Marcos said: The website was compromised. Searching for "/colors/blue/blue.php?id='+token();" will help you locate the malicious javascript. Thank you dear @Marcos . ESET Support is fantastic !! And would you help us why this website in infected ? can you see the infected part ? hxxp://airportseirosafar.com/
Administrators Marcos 5,450 Posted October 3, 2021 Administrators Posted October 3, 2021 15 minutes ago, RedDragon said: And would you help us why this website in infected ? can you see the infected part ? hxxp://airportseirosafar.com/ Remove the javascript that commences with "(function($,document){for($._Ev=$.BC;"
Recommended Posts