Mike2022 0 Posted April 14, 2022 Posted April 14, 2022 Hi, my website is detected with JS/Agent.OZD trojanAccess. 1. How can I scan and detect if this is a false positive and if not which files are infected, so I can clean it up? Is there a tool to scan a web site and find infected files? I am not providing the URL to my site, so I can scan it myself and clean it. 2. If I found a file, how do I know which JS code is injected? Thanks
Administrators Marcos 5,466 Posted April 14, 2022 Administrators Posted April 14, 2022 What it the website url? The detection is very likely correct.
Mike2022 0 Posted April 14, 2022 Author Posted April 14, 2022 Thanks for your response Marco. I would not like to provide the URL in the public forum here. So my requests are: 1. How can I scan and detect which files are infected, so I can clean it up? Is there a tool to scan a web site and find infected files? 2. If I found a file, how do I know which JS code is injected? Thanks
Administrators Marcos 5,466 Posted April 14, 2022 Administrators Posted April 14, 2022 You can browse the website and upon detection of the threat check the path to the infected file in the Detections log.
Mike2022 0 Posted April 15, 2022 Author Posted April 15, 2022 Thanks using which tool I need to do this? What software to download? Can you please provide download link for this? Thanks
Administrators Marcos 5,466 Posted April 15, 2022 Administrators Posted April 15, 2022 You can use any web browser. Or use a web spider which will download the web pages to the disk.
Mike2022 0 Posted April 15, 2022 Author Posted April 15, 2022 It seems, I was not clear: >You can browse the website and upon detection of the threat check the path to the infected file in the Detections log. Do I need your software to detect this threat? If so, what software should I download to detect it and what is the download URL? Thanks
Mike2022 0 Posted April 15, 2022 Author Posted April 15, 2022 I installed the ESET Internet Security software however this did not detect anything on my website. Is there any other detection tool, I should use? Thanjs
Mike2022 0 Posted April 15, 2022 Author Posted April 15, 2022 Hi again. Where is the Detections log located?
Mike2022 0 Posted April 15, 2022 Author Posted April 15, 2022 Ok, I was able to finally find the log file and see the detection. I only see the the main domain name. Please see attached. So how can I know which file is infected so I can clean it up. Thanks
Administrators Marcos 5,466 Posted April 15, 2022 Administrators Posted April 15, 2022 It should be in the file that is opened by default, ie. index.html.
Mike2022 0 Posted April 15, 2022 Author Posted April 15, 2022 It is WordPress instance, what would be the filename there? What should I look for in the file?
Mike2022 0 Posted April 15, 2022 Author Posted April 15, 2022 Please see attached. I checked index.php and there is no JS code here.
Mike2022 0 Posted April 15, 2022 Author Posted April 15, 2022 (edited) Under the same domain but different WordPress instance, I have other website. ESET flags that instance as well with the same JS/Agent.OZD trojanAccess. It seems ESET just looks at the domain and not actual file. This seems to be false positive. Is there other ways we can talk to your support to resolve this issue quickly, So your users do not get this flagged properly. Thanks Edited April 15, 2022 by Mike2022
Administrators Marcos 5,466 Posted April 15, 2022 Administrators Posted April 15, 2022 Droppig me a personal message with the url enclosed would be the best course of action. You can also try scanning the site at www.quttera.com which sometimes finds the malware that ESET detects.
Administrators Marcos 5,466 Posted April 15, 2022 Administrators Posted April 15, 2022 There are several infected files, here are a couple of them: /wp-content/plugins/bootstrap-modals/js/bootstrap.min.js?ver=3.3.7 /wp-content/plugins/contact-form-7/includes/js/index.js?ver=5.5.6 /wp-content/plugins/jquery-updater/js/jquery-3.6.0.min.js?ver=3.6.0 /wp-content/plugins/jquery-updater/js/jquery-migrate-3.3.2.min.js?ver=3.3.2 /wp-content/plugins/megamenu/js/maxmegamenu.js?ver=2.9.5 /wp-content/plugins/modal-popup-box/assets/js/modal/classie.js?ver=5.9.1 /wp-content/plugins/modal-popup-box/assets/js/modal/cssParser.js?ver=5.9.1 /wp-content/plugins/modal-popup-box/assets/js/modal/modernizr.custom.js?ver=5.9.1 /wp-content/plugins/modal-window/public/assets/js/jquery.effects.min.js?ver=5.3 /wp-content/plugins/modal-window/public/assets/js/jquery.modalWindow.min.js?ver=5.3 /wp-content/plugins/revslider/public/assets/js/rbtools.min.js?ver=6.5.9 /wp-content/plugins/revslider/public/assets/js/rs6.min.js?ver=6.5.9 /wp-content/plugins/thrive-headline-optimizer/frontend/js/header.min.js?ver=2.3.1 /wp-content/plugins/thrive-headline-optimizer/frontend/js/triggers.min.js?ver=2.3.1 /wp-content/plugins/thrive-leads/thrive-dashboard/js/dist/frontend.min.js?ver=3.6.2 /wp-content/plugins/thrive-ultimatum/js/dist/no-campaign.min.js?v=3.5 /wp-content/plugins/thrive-visual-editor/editor/js/dist/modules/dropdown.min.js?v=3.7&ver=3.7 /wp-content/plugins/thrive-visual-editor/editor/js/dist/modules/general.min.js?ver=3.7 /wp-content/plugins/thrive-visual-editor/editor/js/dist/modules/post-grid-compat.min.js?v=3.7&ver=3.7 /wp-content/plugins/thrive-visual-editor/editor/js/dist/modules/post-list.min.js?v=3.7&ver=3.7 /wp-content/plugins/wp-testimonial-with-widget/assets/js/slick.min.js?ver=3.0.6 /wp-content/plugins/wp-testimonial-with-widget/assets/js/wtwp-testimonail-public.js?ver=3.0.6 /wp-content/themes/dana/assets/js/custom-script.js?ver=5.9.1 /wp-content/themes/dana/assets/js/main.js?ver=5.9.1 /wp-content/themes/dana/assets/js/NiceScrollBar.js?ver=5.9.1 /wp-content/themes/dana/assets/vendors/backtop/backtop.min.js?ver=5.9.1 /wp-content/themes/dana/assets/vendors/bootstrap/js/bootstrap.min.js?ver=5.9.1 /wp-content/themes/dana/assets/vendors/html5lightbox/html5lightbox.js?ver=5.9.1 /wp-content/themes/dana/assets/vendors/loading/loading.js?ver=5.9.1 /wp-content/themes/dana/assets/vendors/particles/app.min.js?ver=5.9.1 /wp-content/themes/dana/assets/vendors/particles/particles.min.js?ver=5.9.1 /wp-includes/js/dist/vendor/regenerator-runtime.min.js?ver=0.13.9 /wp-includes/js/dist/vendor/wp-polyfill.min.js?ver=3.15.0 /wp-includes/js/hoverIntent.min.js?ver=1.10.2 /wp-includes/js/imagesloaded.min.js?ver=4.1.4 /wp-includes/js/jquery/jquery.masonry.min.js?ver=3.1.2b /wp-includes/js/jquery/ui/core.min.js?ver=1.13.1 /wp-includes/js/jquery/ui/effect.min.js?ver=1.13.1 /wp-includes/js/jquery/ui/effect-slide.min.js?ver=1.13.1 /wp-includes/js/masonry.min.js?ver=4.2.2 Searching for "if (ndsj === undefined)" should help you locate the malicious javascript.
Mike2022 0 Posted May 2, 2022 Author Posted May 2, 2022 Hi. I had cleaned this sometime back and we don't have an issue and eset does not report an issue but a user has sent a screen shot that show eset detected an issue. How to resolve it?
Administrators Marcos 5,466 Posted May 2, 2022 Administrators Posted May 2, 2022 The website is not blacklsited, however, you still have adware there:
Mike2022 0 Posted May 2, 2022 Author Posted May 2, 2022 Can you privately message and let me know which Adware? and which file? Thanks
kcooke 0 Posted June 10, 2022 Posted June 10, 2022 Hi, ESET has just started to report JS/Agent.OZD threats on website www.ariadnesoftware.co.uk. Most of this site is intentionally redirected to a newer site, but a few pages are still in use (example URL: www.ariadnesoftware.co.uk/support). I tried scanning the site with quttera.com but no malicious files were found. Any pointers to the nature/location of the threat would be most welcome.
Administrators Marcos 5,466 Posted June 10, 2022 Administrators Posted June 10, 2022 On 6/10/2022 at 1:47 PM, kcooke said: Hi, ESET has just started to report JS/Agent.OZD threats on website www.ariadnesoftware.co.uk. Most of this site is intentionally redirected to a newer site, but a few pages are still in use (example URL: www.ariadnesoftware.co.uk/support). I tried scanning the site with quttera.com but no malicious files were found. Any pointers to the nature/location of the threat would be most welcome. Infected files are in the /support/theme/hesk3/customer/js folder.
kcooke 0 Posted June 13, 2022 Posted June 13, 2022 On 6/10/2022 at 4:30 PM, Marcos said: Infected files are in the /support/theme/hesk3/customer/js folder. Searching for "if(ndsj===undefined)" should help you locate the malicious JS. Yes, all sorted! Many thanks for your support!
Melb 0 Posted July 13, 2022 Posted July 13, 2022 I can't access the website https://www.iscouncil.org/ as it is blocked by Eset due to JS/Agent.OZD being detected. Quttera can't find anything wrong with it, and when I try https://sitecheck.sucuri.net/ Eset indicates that site is infected too... Could you please see if you can pinpoint the issues with the ISCouncil website? Thanks
Administrators Marcos 5,466 Posted July 13, 2022 Administrators Posted July 13, 2022 18 minutes ago, Melb said: I can't access the website https://www.iscouncil.org/ as it is blocked by Eset due to JS/Agent.OZD being detected. Quttera can't find anything wrong with it, and when I try https://sitecheck.sucuri.net/ Eset indicates that site is infected too... Could you please see if you can pinpoint the issues with the ISCouncil website? This is the beginning of the malicious JS:
Recommended Posts