Jump to content

JS/Agent.OZD found on my Wordpress installation


JL67
 Share

Recommended Posts

Hi there, 

I have just seen that my wordpress site is infected by JS/Agent.OZD and I don't know how to find the script or where to look...

https://www.tracteurs-forestiers-noe.fr/

 

Can you Help me ?

Jean

Link to comment
Share on other sites

  • Most Valued Members
14 hours ago, JL67 said:

Hi there, 

I have just seen that my wordpress site is infected by JS/Agent.OZD and I don't know how to find the script or where to look...

https://www.tracteurs-forestiers-noe.fr/

 

Can you Help me ?

Jean

Where ESET triggered the detection , see in the file's code and check for a redirection code for another JS file that you don't recognize , it should be that.

Link to comment
Share on other sites

We have the same problem in many Wordpress website .

Domain : https://zalidairy.ir

Detection

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
2021/10/03 11:51:22 ب.ظ;HTTP filter;file;https://zalidairy.ir/wp-content/plugins/js_composer/assets/js/vendors/woocommerce-add-to-cart.js?ver=6.7.0;JS/Agent.OZD trojan;connection terminated;Event occurred during an attempt to access the web by the application: C:\Program Files\Mozilla Firefox\firefox.exe (9D90FAA8197CACBBC70621FC6DD235043ECC3F43).;885A97E67D7D5911221C513DBB47352D3729A7C0;

 

It seems that is false positive . if not how can we find the malicious js ? 
 

Link to comment
Share on other sites

  • Administrators
4 minutes ago, RedDragon said:

It seems that is false positive . if not how can we find the malicious js ?

The website was compromised. Searching for "/colors/blue/blue.php?id='+token();" will help you locate the malicious javascript.

Link to comment
Share on other sites

1 hour ago, Marcos said:

The website was compromised. Searching for "/colors/blue/blue.php?id='+token();" will help you locate the malicious javascript.

Thank you dear @Marcos . ESET Support is fantastic !!

And would you help us why this website in infected ? can you see the infected part ? 

hxxp://airportseirosafar.com/

 

Link to comment
Share on other sites

  • Administrators
15 minutes ago, RedDragon said:

And would you help us why this website in infected ? can you see the infected part ? 

hxxp://airportseirosafar.com/

Remove the javascript that commences with "(function($,document){for($._Ev=$.BC;"

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...