Jump to content

JS/Agent.OZD trojanAccess Detection


Recommended Posts

Hi,

 

my website is detected with JS/Agent.OZD trojanAccess.

1. How can I scan and detect if this is a false positive and if not which files are infected, so I can clean it up? Is there a tool to scan a web site and find infected files?

I am not providing the URL to my site, so I can scan it myself and clean it.

2. If I found a file, how do I know which JS code is injected?

Thanks

Link to comment
Share on other sites

Thanks for your response Marco. I would not like to provide the URL in the public forum here. 

So my requests are:

1. How can I scan and detect which files are infected, so I can clean it up? Is there a tool to scan a web site and find infected files?

2. If I found a file, how do I know which JS code is injected?

 

Thanks

Link to comment
Share on other sites

  • Administrators

You can browse the website and upon detection of the threat check the path to the infected file in the Detections log.

Link to comment
Share on other sites

Thanks using which tool I need to do this? What software to download? 

Can you please provide download link for this?

Thanks

Link to comment
Share on other sites

  • Administrators

You can use any web browser. Or use a web spider which will download the web pages to the disk.

Link to comment
Share on other sites

It seems, I was not clear:

 

>You can browse the website and upon detection of the threat check the path to the infected file in the Detections log.

Do I need your software to detect this threat? If so, what software should I download to detect it and what is the download URL?

 

Thanks

Link to comment
Share on other sites

I installed the ESET Internet Security software however this did not detect anything on my website.

 

Is there any other detection tool, I should use?

 

Thanjs

Link to comment
Share on other sites

Ok, I was able to finally find the log file and see the detection.

I only see the the main domain name. Please see attached. So how can I know which file is infected so I can clean it up.

 

Thanks

error.png

Link to comment
Share on other sites

Posted (edited)

Under the same domain but different WordPress instance, I have other website. ESET  flags that instance as well with the same JS/Agent.OZD trojanAccess.

 

It seems ESET just looks at the domain and not actual file. This seems to be false positive.

Is there other ways we can talk to your support to resolve this issue quickly, So your users do not get this flagged properly.

 

Thanks

Edited by Mike2022
Link to comment
Share on other sites

  • Administrators

Droppig me a personal message with the url enclosed would be the best course of action. You can also try scanning the site at www.quttera.com which sometimes finds the malware that ESET detects.

Link to comment
Share on other sites

  • Administrators

There are several infected files, here are a couple of them:

/wp-content/plugins/bootstrap-modals/js/bootstrap.min.js?ver=3.3.7
/wp-content/plugins/contact-form-7/includes/js/index.js?ver=5.5.6
/wp-content/plugins/jquery-updater/js/jquery-3.6.0.min.js?ver=3.6.0
/wp-content/plugins/jquery-updater/js/jquery-migrate-3.3.2.min.js?ver=3.3.2
/wp-content/plugins/megamenu/js/maxmegamenu.js?ver=2.9.5
/wp-content/plugins/modal-popup-box/assets/js/modal/classie.js?ver=5.9.1
/wp-content/plugins/modal-popup-box/assets/js/modal/cssParser.js?ver=5.9.1
/wp-content/plugins/modal-popup-box/assets/js/modal/modernizr.custom.js?ver=5.9.1
/wp-content/plugins/modal-window/public/assets/js/jquery.effects.min.js?ver=5.3
/wp-content/plugins/modal-window/public/assets/js/jquery.modalWindow.min.js?ver=5.3
/wp-content/plugins/revslider/public/assets/js/rbtools.min.js?ver=6.5.9
/wp-content/plugins/revslider/public/assets/js/rs6.min.js?ver=6.5.9
/wp-content/plugins/thrive-headline-optimizer/frontend/js/header.min.js?ver=2.3.1
/wp-content/plugins/thrive-headline-optimizer/frontend/js/triggers.min.js?ver=2.3.1
/wp-content/plugins/thrive-leads/thrive-dashboard/js/dist/frontend.min.js?ver=3.6.2
/wp-content/plugins/thrive-ultimatum/js/dist/no-campaign.min.js?v=3.5
/wp-content/plugins/thrive-visual-editor/editor/js/dist/modules/dropdown.min.js?v=3.7&ver=3.7
/wp-content/plugins/thrive-visual-editor/editor/js/dist/modules/general.min.js?ver=3.7
/wp-content/plugins/thrive-visual-editor/editor/js/dist/modules/post-grid-compat.min.js?v=3.7&ver=3.7
/wp-content/plugins/thrive-visual-editor/editor/js/dist/modules/post-list.min.js?v=3.7&ver=3.7
/wp-content/plugins/wp-testimonial-with-widget/assets/js/slick.min.js?ver=3.0.6
/wp-content/plugins/wp-testimonial-with-widget/assets/js/wtwp-testimonail-public.js?ver=3.0.6
/wp-content/themes/dana/assets/js/custom-script.js?ver=5.9.1
/wp-content/themes/dana/assets/js/main.js?ver=5.9.1
/wp-content/themes/dana/assets/js/NiceScrollBar.js?ver=5.9.1
/wp-content/themes/dana/assets/vendors/backtop/backtop.min.js?ver=5.9.1
/wp-content/themes/dana/assets/vendors/bootstrap/js/bootstrap.min.js?ver=5.9.1
/wp-content/themes/dana/assets/vendors/html5lightbox/html5lightbox.js?ver=5.9.1
/wp-content/themes/dana/assets/vendors/loading/loading.js?ver=5.9.1
/wp-content/themes/dana/assets/vendors/particles/app.min.js?ver=5.9.1
/wp-content/themes/dana/assets/vendors/particles/particles.min.js?ver=5.9.1
/wp-includes/js/dist/vendor/regenerator-runtime.min.js?ver=0.13.9
/wp-includes/js/dist/vendor/wp-polyfill.min.js?ver=3.15.0
/wp-includes/js/hoverIntent.min.js?ver=1.10.2
/wp-includes/js/imagesloaded.min.js?ver=4.1.4
/wp-includes/js/jquery/jquery.masonry.min.js?ver=3.1.2b
/wp-includes/js/jquery/ui/core.min.js?ver=1.13.1
/wp-includes/js/jquery/ui/effect.min.js?ver=1.13.1
/wp-includes/js/jquery/ui/effect-slide.min.js?ver=1.13.1
/wp-includes/js/masonry.min.js?ver=4.2.2

Searching for "if (ndsj === undefined)" should help you locate the malicious javascript.

Link to comment
Share on other sites

  • 2 weeks later...

Hi.

 

I had cleaned this sometime back and we don't have an issue and eset does not report an issue but a user has sent a screen shot that show eset detected an issue.

 

How to resolve it?

 

 

Link to comment
Share on other sites

  • Administrators

The website is not blacklsited, however, you still have adware there:

 

 

Link to comment
Share on other sites

  • 1 month later...

Hi, ESET has just started to report JS/Agent.OZD threats on website www.ariadnesoftware.co.uk.  Most of this site is intentionally redirected to a newer site, but a few pages are still in use (example URL: www.ariadnesoftware.co.uk/support).  I tried scanning the site with quttera.com but no malicious files were found.

Any pointers to the nature/location of the threat would be most welcome.

Link to comment
Share on other sites

  • Administrators
On 6/10/2022 at 1:47 PM, kcooke said:

Hi, ESET has just started to report JS/Agent.OZD threats on website www.ariadnesoftware.co.uk.  Most of this site is intentionally redirected to a newer site, but a few pages are still in use (example URL: www.ariadnesoftware.co.uk/support).  I tried scanning the site with quttera.com but no malicious files were found.

Any pointers to the nature/location of the threat would be most welcome.

Infected files are in the /support/theme/hesk3/customer/js folder.

Link to comment
Share on other sites

On 6/10/2022 at 4:30 PM, Marcos said:

Infected files are in the /support/theme/hesk3/customer/js folder. Searching for "if(ndsj===undefined)" should help you locate the malicious JS.

Yes, all sorted!  Many thanks for your support!

Link to comment
Share on other sites

  • 5 weeks later...

I can't access the website https://www.iscouncil.org/ as it is blocked by Eset due to JS/Agent.OZD being detected.

Quttera can't find anything wrong with it, and when I try https://sitecheck.sucuri.net/ Eset indicates that site is infected too...

Could you please see if you can pinpoint the issues with the ISCouncil website? 

Thanks

Link to comment
Share on other sites

  • Administrators
18 minutes ago, Melb said:

I can't access the website https://www.iscouncil.org/ as it is blocked by Eset due to JS/Agent.OZD being detected.

Quttera can't find anything wrong with it, and when I try https://sitecheck.sucuri.net/ Eset indicates that site is infected too...

Could you please see if you can pinpoint the issues with the ISCouncil website?

This is the beginning of the malicious JS:

image.png

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...