gretchen6205 1 Posted October 28, 2021 Share Posted October 28, 2021 I have been trying to access akc.org and get a message that ESET has removed a threat when trying to access the website. I have scanned my computer but nothing was found. I am running ESET NOD Antivirus 14.2.24.0 using Edge. AKC has now blacklisted my IP address. How do I fix this? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,143 Posted October 28, 2021 Administrators Share Posted October 28, 2021 You can inform the owner of the domain that it was compromised and a malicious javacsript is injected in some js files. Detecting the malware could not cause your IP address to be banned. Link to comment Share on other sites More sharing options...
Lee P 0 Posted October 31, 2021 Share Posted October 31, 2021 Gretchen6205, the same thing just happened to me and I did the same thing you did but nothing has helped. Were you able to get this resolved? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,143 Posted November 1, 2021 Administrators Share Posted November 1, 2021 10 hours ago, Lee P said: Gretchen6205, the same thing just happened to me and I did the same thing you did but nothing has helped. Were you able to get this resolved? What website was the threat detected on? Are you the owner or administrator of the website in question? Link to comment Share on other sites More sharing options...
itman 1,707 Posted November 1, 2021 Share Posted November 1, 2021 (edited) On 10/28/2021 at 1:56 PM, gretchen6205 said: I have been trying to access akc.org and get a message that ESET has removed a threat when trying to access the website. This web site is heavily infected. Below are the detections encounter when I accessed the web site. My concern is Eset did not block access to the web site using Firefox as it stated it did. hxxps://www.akc.org/wp-includes/js/jquery/jquery.min.js?ver=3.6.0 hxxps://www.akc.org/wp-content/plugins/gigya-socialize-for-wordpress/gigya.js?ver=5.8.1 hxxps://www.akc.org/wp-content/plugins/gigya-socialize-for-wordpress/features/raas/gigya_raas.js?ver=5.7.3.4 hxxps://www.akc.org/wp-includes/js/wp-embed.min.js?ver=5.8.1 hxxps://www.akc.org/wp-includes/js/wp-emoji-release.min.js?ver=5.8.1 Edited November 1, 2021 by itman Link to comment Share on other sites More sharing options...
Administrators Marcos 5,143 Posted November 1, 2021 Administrators Share Posted November 1, 2021 The connection was indeed terminated; the downloaded script ends with "function(e){S(this).wrapInner(n.call", ie. it's incomplete and thus not working, ie. it could not run and do anything malicious. Link to comment Share on other sites More sharing options...
itman 1,707 Posted November 1, 2021 Share Posted November 1, 2021 10 minutes ago, Marcos said: The connection was indeed terminated; the downloaded script ends with "function(e){S(this).wrapInner(n.call", ie. it's incomplete and thus not working, ie. it could not run and do anything malicious. From this reply, I infer that Eset is no longer blocking access to the entire web site when malware is found? Link to comment Share on other sites More sharing options...
gretchen6205 1 Posted November 1, 2021 Author Share Posted November 1, 2021 15 hours ago, Marcos said: What website was the threat detected on? Are you the owner or administrator of the website in question? As I said in the OP, akc.org Link to comment Share on other sites More sharing options...
gretchen6205 1 Posted November 1, 2021 Author Share Posted November 1, 2021 On 10/31/2021 at 2:31 PM, Lee P said: Gretchen6205, the same thing just happened to me and I did the same thing you did but nothing has helped. Were you able to get this resolved? No, I haven't done anything. One solution is to get another IP address, but I'm concerned about what cascading effect this might have. Otherwise, my plan is to just wait to see if it resolves itself. Link to comment Share on other sites More sharing options...
gretchen6205 1 Posted November 1, 2021 Author Share Posted November 1, 2021 On 10/28/2021 at 12:00 PM, Marcos said: You can inform the owner of the domain that it was compromised and a malicious javacsript is injected in some js files. Detecting the malware could not cause your IP address to be banned. I tried contacting akc.org and the customer service desk was not helpful. I did not try to discuss the matter with the IT dept., however, I sent an email to akc and they asked for my IP address. I have not heard anything back yet Link to comment Share on other sites More sharing options...
gretchen6205 1 Posted November 1, 2021 Author Share Posted November 1, 2021 On 10/28/2021 at 12:00 PM, Marcos said: You can inform the owner of the domain that it was compromised and a malicious javacsript is injected in some js files. Detecting the malware could not cause your IP address to be banned. I do not have the expertise to go back to akc to tell them their website has been compromised, they'll only ask for more details that I do not have. Is it possible for ESET to advise them of the issue? Does akc already know the website has been compromised? Since it's such a mess, should I give up (for now) trying to log into my account at akc.org? W-S-K 1 Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted November 2, 2021 Most Valued Members Share Posted November 2, 2021 6 hours ago, gretchen6205 said: I do not have the expertise to go back to akc to tell them their website has been compromised, they'll only ask for more details that I do not have. Is it possible for ESET to advise them of the issue? Does akc already know the website has been compromised? Since it's such a mess, should I give up (for now) trying to log into my account at akc.org? If the website isn't yours , and still you want to help , all you need to do is send them an email with the detection message screenshot attached, that's all you can do from your side. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,143 Posted November 2, 2021 Administrators Share Posted November 2, 2021 You can also send them a link to VT results: https://www.virustotal.com/gui/file/a64dbbbedde687860ea1c41e6bf1a640b1a20514c06bc3f45b5d12dca6f4a543 Link to comment Share on other sites More sharing options...
Malika 0 Posted December 24, 2021 Share Posted December 24, 2021 Having the same issues for https://baysuit.org This is my website and I have scanned all my files no virus What should I do? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,143 Posted December 24, 2021 Administrators Share Posted December 24, 2021 3 hours ago, Malika said: Having the same issues for https://baysuit.org This is my website and I have scanned all my files no virus What should I do? Searching for "if(ndsw===undefined)" should help you locate the malicious javascript. Link to comment Share on other sites More sharing options...
Malika 0 Posted December 28, 2021 Share Posted December 28, 2021 On 12/24/2021 at 5:45 AM, Marcos said: Searching for "if(ndsw===undefined)" should help you locate the malicious javascript. Tried searching the string and I found over 700 strings having the same thing, what do you think I should do Link to comment Share on other sites More sharing options...
itman 1,707 Posted December 28, 2021 Share Posted December 28, 2021 I just scanned the web site at Quttera and it didn't find anything: https://quttera.com/detailed_report/baysuit.org Link to comment Share on other sites More sharing options...
mmila 0 Posted January 29, 2022 Share Posted January 29, 2022 Hi all, recently I accessed a Google website and it triggered my ESET Antivirus that I have downloaded on my PC. It said that the threat has been found because of JS/Agent.PIV trojan, the access has been blocked and connection terminated. The page never opened, I deleted it from Chrome history and didn't access again. After that I saw the threat is stored in my ESET quarantine, I guess that means it can't create any damage. Is my computer fully safe and what would happen if I delete it from quarantine? Will it be deleted from my computer fully or put back? Also, do I need to manually delete the stuff from quarantine, or is ESET going to do that after some time? Thank you. Kind Regards. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,143 Posted January 29, 2022 Administrators Share Posted January 29, 2022 41 minutes ago, mmila said: It said that the threat has been found because of JS/Agent.PIV trojan, the access has been blocked and connection terminated. ESET blocked the threat, your computer is safe. Link to comment Share on other sites More sharing options...
mmila 0 Posted January 29, 2022 Share Posted January 29, 2022 Thanks @Marcos, that's a relief. What about my question about quarantine. What will happen if I delete it from quarantine, will I manage to remove it fully from my computer, or is ESET going to do that after some time? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,143 Posted January 29, 2022 Administrators Share Posted January 29, 2022 Files in quarantine are stored in an encrypted form so they don't pose any risk. Feel free to delete quarantined files unless you suspect them to be false positives which is not the case. Link to comment Share on other sites More sharing options...
Stefano1045 0 Posted February 23, 2022 Share Posted February 23, 2022 the same message came to me when I tried to access my blog. I temporarily uninstalled ESET web protection and entered my blog (in wordpress), but wordpress says the site is ok. So? Stefano https://imgur.com/Dy8eoCd Link to comment Share on other sites More sharing options...
Administrators Marcos 5,143 Posted February 23, 2022 Administrators Share Posted February 23, 2022 22 minutes ago, Stefano1045 said: the same message came to me when I tried to access my blog. I temporarily uninstalled ESET web protection and entered my blog (in wordpress), but wordpress says the site is ok. So? Searching for "token=function()" should help you locate the malicious JavaScript. Link to comment Share on other sites More sharing options...
Stefano1045 0 Posted February 27, 2022 Share Posted February 27, 2022 Thank you, but: maybe i have to search some other way? Please note that I am not a webmaster Link to comment Share on other sites More sharing options...
itman 1,707 Posted February 27, 2022 Share Posted February 27, 2022 (edited) 2 hours ago, Stefano1045 said: Thank you, but: maybe i have to search some other way? I scanned your domain, hxxps://librilettiscritti.it/, at Quttera. It contains 10 malicious files. The scan report: https://quttera.com/detailed_report/librilettiscritti.it , contains all the detail you need to find the malicious code references. If you don't have the technical skills to remove this malware, you will have to hire someone; e.g. Quttera, to remove the malware for you. In your case however, it appears this would be the webmaster responsibility since the malicious code is being injected from a remote source. That is, the web server is not properly secured and is probably infected. Edited February 27, 2022 by itman mallard65 1 Link to comment Share on other sites More sharing options...
Recommended Posts