Jump to content

Recommended Posts

Posted

Hi,

 

my website is detected with JS/Agent.OZD trojanAccess.

1. How can I scan and detect if this is a false positive and if not which files are infected, so I can clean it up? Is there a tool to scan a web site and find infected files?

I am not providing the URL to my site, so I can scan it myself and clean it.

2. If I found a file, how do I know which JS code is injected?

Thanks

  • Administrators
Posted

What it the website url? The detection is very likely correct.

Posted

Thanks for your response Marco. I would not like to provide the URL in the public forum here. 

So my requests are:

1. How can I scan and detect which files are infected, so I can clean it up? Is there a tool to scan a web site and find infected files?

2. If I found a file, how do I know which JS code is injected?

 

Thanks

  • Administrators
Posted

You can browse the website and upon detection of the threat check the path to the infected file in the Detections log.

Posted

Thanks using which tool I need to do this? What software to download? 

Can you please provide download link for this?

Thanks

  • Administrators
Posted

You can use any web browser. Or use a web spider which will download the web pages to the disk.

Posted

It seems, I was not clear:

 

>You can browse the website and upon detection of the threat check the path to the infected file in the Detections log.

Do I need your software to detect this threat? If so, what software should I download to detect it and what is the download URL?

 

Thanks

Posted

I installed the ESET Internet Security software however this did not detect anything on my website.

 

Is there any other detection tool, I should use?

 

Thanjs

Posted

Hi again.

 

Where is the Detections log located?

 

 

Posted

Ok, I was able to finally find the log file and see the detection.

I only see the the main domain name. Please see attached. So how can I know which file is infected so I can clean it up.

 

Thanks

error.png

  • Administrators
Posted

It should be in the file that is opened by default, ie. index.html.

Posted

It is WordPress instance, what would be the filename there?

 

What should I look for in the file? 

Posted

Please see attached. I checked index.php and there is no JS code here.

 

error2.png

Posted (edited)

Under the same domain but different WordPress instance, I have other website. ESET  flags that instance as well with the same JS/Agent.OZD trojanAccess.

 

It seems ESET just looks at the domain and not actual file. This seems to be false positive.

Is there other ways we can talk to your support to resolve this issue quickly, So your users do not get this flagged properly.

 

Thanks

Edited by Mike2022
  • Administrators
Posted

Droppig me a personal message with the url enclosed would be the best course of action. You can also try scanning the site at www.quttera.com which sometimes finds the malware that ESET detects.

  • Administrators
Posted

There are several infected files, here are a couple of them:

/wp-content/plugins/bootstrap-modals/js/bootstrap.min.js?ver=3.3.7
/wp-content/plugins/contact-form-7/includes/js/index.js?ver=5.5.6
/wp-content/plugins/jquery-updater/js/jquery-3.6.0.min.js?ver=3.6.0
/wp-content/plugins/jquery-updater/js/jquery-migrate-3.3.2.min.js?ver=3.3.2
/wp-content/plugins/megamenu/js/maxmegamenu.js?ver=2.9.5
/wp-content/plugins/modal-popup-box/assets/js/modal/classie.js?ver=5.9.1
/wp-content/plugins/modal-popup-box/assets/js/modal/cssParser.js?ver=5.9.1
/wp-content/plugins/modal-popup-box/assets/js/modal/modernizr.custom.js?ver=5.9.1
/wp-content/plugins/modal-window/public/assets/js/jquery.effects.min.js?ver=5.3
/wp-content/plugins/modal-window/public/assets/js/jquery.modalWindow.min.js?ver=5.3
/wp-content/plugins/revslider/public/assets/js/rbtools.min.js?ver=6.5.9
/wp-content/plugins/revslider/public/assets/js/rs6.min.js?ver=6.5.9
/wp-content/plugins/thrive-headline-optimizer/frontend/js/header.min.js?ver=2.3.1
/wp-content/plugins/thrive-headline-optimizer/frontend/js/triggers.min.js?ver=2.3.1
/wp-content/plugins/thrive-leads/thrive-dashboard/js/dist/frontend.min.js?ver=3.6.2
/wp-content/plugins/thrive-ultimatum/js/dist/no-campaign.min.js?v=3.5
/wp-content/plugins/thrive-visual-editor/editor/js/dist/modules/dropdown.min.js?v=3.7&ver=3.7
/wp-content/plugins/thrive-visual-editor/editor/js/dist/modules/general.min.js?ver=3.7
/wp-content/plugins/thrive-visual-editor/editor/js/dist/modules/post-grid-compat.min.js?v=3.7&ver=3.7
/wp-content/plugins/thrive-visual-editor/editor/js/dist/modules/post-list.min.js?v=3.7&ver=3.7
/wp-content/plugins/wp-testimonial-with-widget/assets/js/slick.min.js?ver=3.0.6
/wp-content/plugins/wp-testimonial-with-widget/assets/js/wtwp-testimonail-public.js?ver=3.0.6
/wp-content/themes/dana/assets/js/custom-script.js?ver=5.9.1
/wp-content/themes/dana/assets/js/main.js?ver=5.9.1
/wp-content/themes/dana/assets/js/NiceScrollBar.js?ver=5.9.1
/wp-content/themes/dana/assets/vendors/backtop/backtop.min.js?ver=5.9.1
/wp-content/themes/dana/assets/vendors/bootstrap/js/bootstrap.min.js?ver=5.9.1
/wp-content/themes/dana/assets/vendors/html5lightbox/html5lightbox.js?ver=5.9.1
/wp-content/themes/dana/assets/vendors/loading/loading.js?ver=5.9.1
/wp-content/themes/dana/assets/vendors/particles/app.min.js?ver=5.9.1
/wp-content/themes/dana/assets/vendors/particles/particles.min.js?ver=5.9.1
/wp-includes/js/dist/vendor/regenerator-runtime.min.js?ver=0.13.9
/wp-includes/js/dist/vendor/wp-polyfill.min.js?ver=3.15.0
/wp-includes/js/hoverIntent.min.js?ver=1.10.2
/wp-includes/js/imagesloaded.min.js?ver=4.1.4
/wp-includes/js/jquery/jquery.masonry.min.js?ver=3.1.2b
/wp-includes/js/jquery/ui/core.min.js?ver=1.13.1
/wp-includes/js/jquery/ui/effect.min.js?ver=1.13.1
/wp-includes/js/jquery/ui/effect-slide.min.js?ver=1.13.1
/wp-includes/js/masonry.min.js?ver=4.2.2

Searching for "if (ndsj === undefined)" should help you locate the malicious javascript.

  • 2 weeks later...
Posted

Hi.

 

I had cleaned this sometime back and we don't have an issue and eset does not report an issue but a user has sent a screen shot that show eset detected an issue.

 

How to resolve it?

 

 

  • Administrators
Posted

The website is not blacklsited, however, you still have adware there:

 

 

Posted

Can you privately message and let me know which Adware?

 

and which file?

 

Thanks

  • 1 month later...
Posted

Hi, ESET has just started to report JS/Agent.OZD threats on website www.ariadnesoftware.co.uk.  Most of this site is intentionally redirected to a newer site, but a few pages are still in use (example URL: www.ariadnesoftware.co.uk/support).  I tried scanning the site with quttera.com but no malicious files were found.

Any pointers to the nature/location of the threat would be most welcome.

  • Administrators
Posted
On 6/10/2022 at 1:47 PM, kcooke said:

Hi, ESET has just started to report JS/Agent.OZD threats on website www.ariadnesoftware.co.uk.  Most of this site is intentionally redirected to a newer site, but a few pages are still in use (example URL: www.ariadnesoftware.co.uk/support).  I tried scanning the site with quttera.com but no malicious files were found.

Any pointers to the nature/location of the threat would be most welcome.

Infected files are in the /support/theme/hesk3/customer/js folder.

Posted
On 6/10/2022 at 4:30 PM, Marcos said:

Infected files are in the /support/theme/hesk3/customer/js folder. Searching for "if(ndsj===undefined)" should help you locate the malicious JS.

Yes, all sorted!  Many thanks for your support!

  • 5 weeks later...
Posted

I can't access the website https://www.iscouncil.org/ as it is blocked by Eset due to JS/Agent.OZD being detected.

Quttera can't find anything wrong with it, and when I try https://sitecheck.sucuri.net/ Eset indicates that site is infected too...

Could you please see if you can pinpoint the issues with the ISCouncil website? 

Thanks

  • Administrators
Posted
18 minutes ago, Melb said:

I can't access the website https://www.iscouncil.org/ as it is blocked by Eset due to JS/Agent.OZD being detected.

Quttera can't find anything wrong with it, and when I try https://sitecheck.sucuri.net/ Eset indicates that site is infected too...

Could you please see if you can pinpoint the issues with the ISCouncil website?

This is the beginning of the malicious JS:

image.png

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...