Jump to content

JS/Agent.OZD trojanAccess Detection


Recommended Posts

Hi,

 

my website is detected with JS/Agent.OZD trojanAccess.

1. How can I scan and detect if this is a false positive and if not which files are infected, so I can clean it up? Is there a tool to scan a web site and find infected files?

I am not providing the URL to my site, so I can scan it myself and clean it.

2. If I found a file, how do I know which JS code is injected?

Thanks

Link to comment
Share on other sites

Thanks for your response Marco. I would not like to provide the URL in the public forum here. 

So my requests are:

1. How can I scan and detect which files are infected, so I can clean it up? Is there a tool to scan a web site and find infected files?

2. If I found a file, how do I know which JS code is injected?

 

Thanks

Link to comment
Share on other sites

  • Administrators

You can browse the website and upon detection of the threat check the path to the infected file in the Detections log.

Link to comment
Share on other sites

Thanks using which tool I need to do this? What software to download? 

Can you please provide download link for this?

Thanks

Link to comment
Share on other sites

  • Administrators

You can use any web browser. Or use a web spider which will download the web pages to the disk.

Link to comment
Share on other sites

It seems, I was not clear:

 

>You can browse the website and upon detection of the threat check the path to the infected file in the Detections log.

Do I need your software to detect this threat? If so, what software should I download to detect it and what is the download URL?

 

Thanks

Link to comment
Share on other sites

I installed the ESET Internet Security software however this did not detect anything on my website.

 

Is there any other detection tool, I should use?

 

Thanjs

Link to comment
Share on other sites

Ok, I was able to finally find the log file and see the detection.

I only see the the main domain name. Please see attached. So how can I know which file is infected so I can clean it up.

 

Thanks

error.png

Link to comment
Share on other sites

Posted (edited)

Under the same domain but different WordPress instance, I have other website. ESET  flags that instance as well with the same JS/Agent.OZD trojanAccess.

 

It seems ESET just looks at the domain and not actual file. This seems to be false positive.

Is there other ways we can talk to your support to resolve this issue quickly, So your users do not get this flagged properly.

 

Thanks

Edited by Mike2022
Link to comment
Share on other sites

  • Administrators

Droppig me a personal message with the url enclosed would be the best course of action. You can also try scanning the site at www.quttera.com which sometimes finds the malware that ESET detects.

Link to comment
Share on other sites

  • Administrators

There are several infected files, here are a couple of them:

/wp-content/plugins/bootstrap-modals/js/bootstrap.min.js?ver=3.3.7
/wp-content/plugins/contact-form-7/includes/js/index.js?ver=5.5.6
/wp-content/plugins/jquery-updater/js/jquery-3.6.0.min.js?ver=3.6.0
/wp-content/plugins/jquery-updater/js/jquery-migrate-3.3.2.min.js?ver=3.3.2
/wp-content/plugins/megamenu/js/maxmegamenu.js?ver=2.9.5
/wp-content/plugins/modal-popup-box/assets/js/modal/classie.js?ver=5.9.1
/wp-content/plugins/modal-popup-box/assets/js/modal/cssParser.js?ver=5.9.1
/wp-content/plugins/modal-popup-box/assets/js/modal/modernizr.custom.js?ver=5.9.1
/wp-content/plugins/modal-window/public/assets/js/jquery.effects.min.js?ver=5.3
/wp-content/plugins/modal-window/public/assets/js/jquery.modalWindow.min.js?ver=5.3
/wp-content/plugins/revslider/public/assets/js/rbtools.min.js?ver=6.5.9
/wp-content/plugins/revslider/public/assets/js/rs6.min.js?ver=6.5.9
/wp-content/plugins/thrive-headline-optimizer/frontend/js/header.min.js?ver=2.3.1
/wp-content/plugins/thrive-headline-optimizer/frontend/js/triggers.min.js?ver=2.3.1
/wp-content/plugins/thrive-leads/thrive-dashboard/js/dist/frontend.min.js?ver=3.6.2
/wp-content/plugins/thrive-ultimatum/js/dist/no-campaign.min.js?v=3.5
/wp-content/plugins/thrive-visual-editor/editor/js/dist/modules/dropdown.min.js?v=3.7&ver=3.7
/wp-content/plugins/thrive-visual-editor/editor/js/dist/modules/general.min.js?ver=3.7
/wp-content/plugins/thrive-visual-editor/editor/js/dist/modules/post-grid-compat.min.js?v=3.7&ver=3.7
/wp-content/plugins/thrive-visual-editor/editor/js/dist/modules/post-list.min.js?v=3.7&ver=3.7
/wp-content/plugins/wp-testimonial-with-widget/assets/js/slick.min.js?ver=3.0.6
/wp-content/plugins/wp-testimonial-with-widget/assets/js/wtwp-testimonail-public.js?ver=3.0.6
/wp-content/themes/dana/assets/js/custom-script.js?ver=5.9.1
/wp-content/themes/dana/assets/js/main.js?ver=5.9.1
/wp-content/themes/dana/assets/js/NiceScrollBar.js?ver=5.9.1
/wp-content/themes/dana/assets/vendors/backtop/backtop.min.js?ver=5.9.1
/wp-content/themes/dana/assets/vendors/bootstrap/js/bootstrap.min.js?ver=5.9.1
/wp-content/themes/dana/assets/vendors/html5lightbox/html5lightbox.js?ver=5.9.1
/wp-content/themes/dana/assets/vendors/loading/loading.js?ver=5.9.1
/wp-content/themes/dana/assets/vendors/particles/app.min.js?ver=5.9.1
/wp-content/themes/dana/assets/vendors/particles/particles.min.js?ver=5.9.1
/wp-includes/js/dist/vendor/regenerator-runtime.min.js?ver=0.13.9
/wp-includes/js/dist/vendor/wp-polyfill.min.js?ver=3.15.0
/wp-includes/js/hoverIntent.min.js?ver=1.10.2
/wp-includes/js/imagesloaded.min.js?ver=4.1.4
/wp-includes/js/jquery/jquery.masonry.min.js?ver=3.1.2b
/wp-includes/js/jquery/ui/core.min.js?ver=1.13.1
/wp-includes/js/jquery/ui/effect.min.js?ver=1.13.1
/wp-includes/js/jquery/ui/effect-slide.min.js?ver=1.13.1
/wp-includes/js/masonry.min.js?ver=4.2.2

Searching for "if (ndsj === undefined)" should help you locate the malicious javascript.

Link to comment
Share on other sites

  • 2 weeks later...

Hi.

 

I had cleaned this sometime back and we don't have an issue and eset does not report an issue but a user has sent a screen shot that show eset detected an issue.

 

How to resolve it?

 

 

Link to comment
Share on other sites

  • Administrators

The website is not blacklsited, however, you still have adware there:

 

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...