JS/Agent.OZD trojanAccess Detection

[Mike2022 0]

Hi,

 

my website is detected with JS/Agent.OZD trojanAccess.

1. How can I scan and detect if this is a false positive and if not which files are infected, so I can clean it up? Is there a tool to scan a web site and find infected files?

I am not providing the URL to my site, so I can scan it myself and clean it.

2. If I found a file, how do I know which JS code is injected?

Thanks

[Marcos 5,070]

What it the website url? The detection is very likely correct.

[Mike2022 0]

Thanks for your response Marco. I would not like to provide the URL in the public forum here. 

So my requests are:

1. How can I scan and detect which files are infected, so I can clean it up? Is there a tool to scan a web site and find infected files?

2. If I found a file, how do I know which JS code is injected?

 

Thanks

[Marcos 5,070]

You can browse the website and upon detection of the threat check the path to the infected file in the Detections log.

[Mike2022 0]

Thanks using which tool I need to do this? What software to download? 

Can you please provide download link for this?

Thanks

[Marcos 5,070]

You can use any web browser. Or use a web spider which will download the web pages to the disk.

[Mike2022 0]

It seems, I was not clear:

 

>You can browse the website and upon detection of the threat check the path to the infected file in the Detections log.

Do I need your software to detect this threat? If so, what software should I download to detect it and what is the download URL?

 

Thanks

[Mike2022 0]

I installed the ESET Internet Security software however this did not detect anything on my website.

 

Is there any other detection tool, I should use?

 

Thanjs

[Mike2022 0]

Hi again.

 

Where is the Detections log located?

 

 

[Mike2022 0]

Ok, I was able to finally find the log file and see the detection.

I only see the the main domain name. Please see attached. So how can I know which file is infected so I can clean it up.

 

Thanks

[Marcos 5,070]

It should be in the file that is opened by default, ie. index.html.

[Mike2022 0]

It is WordPress instance, what would be the filename there?

 

What should I look for in the file? 

[Mike2022 0]

Please see attached. I checked index.php and there is no JS code here.

 

[Mike2022 0]

Under the same domain but different WordPress instance, I have other website. ESET  flags that instance as well with the same JS/Agent.OZD trojanAccess.

 

It seems ESET just looks at the domain and not actual file. This seems to be false positive.

Is there other ways we can talk to your support to resolve this issue quickly, So your users do not get this flagged properly.

 

Thanks

Edited April 15, 2022 by Mike2022

[Marcos 5,070]

Droppig me a personal message with the url enclosed would be the best course of action. You can also try scanning the site at www.quttera.com which sometimes finds the malware that ESET detects.

[Marcos 5,070]

There are several infected files, here are a couple of them:

/wp-content/plugins/bootstrap-modals/js/bootstrap.min.js?ver=3.3.7
/wp-content/plugins/contact-form-7/includes/js/index.js?ver=5.5.6
/wp-content/plugins/jquery-updater/js/jquery-3.6.0.min.js?ver=3.6.0
/wp-content/plugins/jquery-updater/js/jquery-migrate-3.3.2.min.js?ver=3.3.2
/wp-content/plugins/megamenu/js/maxmegamenu.js?ver=2.9.5
/wp-content/plugins/modal-popup-box/assets/js/modal/classie.js?ver=5.9.1
/wp-content/plugins/modal-popup-box/assets/js/modal/cssParser.js?ver=5.9.1
/wp-content/plugins/modal-popup-box/assets/js/modal/modernizr.custom.js?ver=5.9.1
/wp-content/plugins/modal-window/public/assets/js/jquery.effects.min.js?ver=5.3
/wp-content/plugins/modal-window/public/assets/js/jquery.modalWindow.min.js?ver=5.3
/wp-content/plugins/revslider/public/assets/js/rbtools.min.js?ver=6.5.9
/wp-content/plugins/revslider/public/assets/js/rs6.min.js?ver=6.5.9
/wp-content/plugins/thrive-headline-optimizer/frontend/js/header.min.js?ver=2.3.1
/wp-content/plugins/thrive-headline-optimizer/frontend/js/triggers.min.js?ver=2.3.1
/wp-content/plugins/thrive-leads/thrive-dashboard/js/dist/frontend.min.js?ver=3.6.2
/wp-content/plugins/thrive-ultimatum/js/dist/no-campaign.min.js?v=3.5
/wp-content/plugins/thrive-visual-editor/editor/js/dist/modules/dropdown.min.js?v=3.7&ver=3.7
/wp-content/plugins/thrive-visual-editor/editor/js/dist/modules/general.min.js?ver=3.7
/wp-content/plugins/thrive-visual-editor/editor/js/dist/modules/post-grid-compat.min.js?v=3.7&ver=3.7
/wp-content/plugins/thrive-visual-editor/editor/js/dist/modules/post-list.min.js?v=3.7&ver=3.7
/wp-content/plugins/wp-testimonial-with-widget/assets/js/slick.min.js?ver=3.0.6
/wp-content/plugins/wp-testimonial-with-widget/assets/js/wtwp-testimonail-public.js?ver=3.0.6
/wp-content/themes/dana/assets/js/custom-script.js?ver=5.9.1
/wp-content/themes/dana/assets/js/main.js?ver=5.9.1
/wp-content/themes/dana/assets/js/NiceScrollBar.js?ver=5.9.1
/wp-content/themes/dana/assets/vendors/backtop/backtop.min.js?ver=5.9.1
/wp-content/themes/dana/assets/vendors/bootstrap/js/bootstrap.min.js?ver=5.9.1
/wp-content/themes/dana/assets/vendors/html5lightbox/html5lightbox.js?ver=5.9.1
/wp-content/themes/dana/assets/vendors/loading/loading.js?ver=5.9.1
/wp-content/themes/dana/assets/vendors/particles/app.min.js?ver=5.9.1
/wp-content/themes/dana/assets/vendors/particles/particles.min.js?ver=5.9.1
/wp-includes/js/dist/vendor/regenerator-runtime.min.js?ver=0.13.9
/wp-includes/js/dist/vendor/wp-polyfill.min.js?ver=3.15.0
/wp-includes/js/hoverIntent.min.js?ver=1.10.2
/wp-includes/js/imagesloaded.min.js?ver=4.1.4
/wp-includes/js/jquery/jquery.masonry.min.js?ver=3.1.2b
/wp-includes/js/jquery/ui/core.min.js?ver=1.13.1
/wp-includes/js/jquery/ui/effect.min.js?ver=1.13.1
/wp-includes/js/jquery/ui/effect-slide.min.js?ver=1.13.1
/wp-includes/js/masonry.min.js?ver=4.2.2

Searching for "if (ndsj === undefined)" should help you locate the malicious javascript.

[Mike2022 0]

Thanks for the help.

[Mike2022 0]

Hi.

 

I had cleaned this sometime back and we don't have an issue and eset does not report an issue but a user has sent a screen shot that show eset detected an issue.

 

How to resolve it?

 

 

[Marcos 5,070]

The website is not blacklsited, however, you still have adware there:

 

 

[Mike2022 0]

Can you privately message and let me know which Adware?

 

and which file?

 

Thanks

[kcooke 0]

Hi, ESET has just started to report JS/Agent.OZD threats on website www.ariadnesoftware.co.uk.  Most of this site is intentionally redirected to a newer site, but a few pages are still in use (example URL: www.ariadnesoftware.co.uk/support).  I tried scanning the site with quttera.com but no malicious files were found.

Any pointers to the nature/location of the threat would be most welcome.

[Marcos 5,070]

On 6/10/2022 at 1:47 PM, kcooke said:

Hi, ESET has just started to report JS/Agent.OZD threats on website www.ariadnesoftware.co.uk.  Most of this site is intentionally redirected to a newer site, but a few pages are still in use (example URL: www.ariadnesoftware.co.uk/support).  I tried scanning the site with quttera.com but no malicious files were found.

Any pointers to the nature/location of the threat would be most welcome.

Infected files are in the /support/theme/hesk3/customer/js folder.

[kcooke 0]

On 6/10/2022 at 4:30 PM, Marcos said:

Infected files are in the /support/theme/hesk3/customer/js folder. Searching for "if(ndsj===undefined)" should help you locate the malicious JS.

Yes, all sorted!  Many thanks for your support!

[Melb 0]

I can't access the website https://www.iscouncil.org/ as it is blocked by Eset due to JS/Agent.OZD being detected.

Quttera can't find anything wrong with it, and when I try https://sitecheck.sucuri.net/ Eset indicates that site is infected too...

Could you please see if you can pinpoint the issues with the ISCouncil website? 

Thanks

[Marcos 5,070]

18 minutes ago, Melb said:

I can't access the website https://www.iscouncil.org/ as it is blocked by Eset due to JS/Agent.OZD being detected.

Quttera can't find anything wrong with it, and when I try https://sitecheck.sucuri.net/ Eset indicates that site is infected too...

Could you please see if you can pinpoint the issues with the ISCouncil website?

This is the beginning of the malicious JS: