Jump to content

Website False Positive


Recommended Posts

Our e-commerce website is being blocked by ESET for a false positive for malware. (JS/Spy.Banker.KJ).

Please help us remove the false positive and whitelist the website: https://baofengtech.com

Thank you

screenshot.png

Link to comment
Share on other sites

  • Administrators

The detection is correct. Searching for "onload=' (function ()" should help you locate the malicious JavaScript.

Link to comment
Share on other sites

1 hour ago, Marcos said:

The detection is correct.

From 93 software on 'Virus Total" only ONE detects this site as "malicious" (and is not ESET)

ESET.png

Link to comment
Share on other sites

I will also note that since the server associated with this web site is deploying a web application firewall, scanning of the web site via public validation sources will not show the malware on the web site:

Eset_Crawlers.thumb.png.f886553a5346b5bb97183bd667176e22.png

Edited by itman
Link to comment
Share on other sites

I would also strongly advise appropriate web site temporary mitigations be deployed until this matter is resolved:

Quote

Technical Details

Trojan-Spy:W32/Banker is a large family of data-stealing trojans. Banker variants attempt to steal access information for various online banking and payment system websites. Details stolen include login credentials, passwords, PINs and so on. The stolen information is usually uploaded to a hacker's website using a webform.

The most vulnerable users are those whose logins and passwords for sensitive online banking or payment accounts remain static at each login session. For this reason, many online banking websites are changing their security processes to use one-time passwords that expire after being used once.

Edited by itman
Link to comment
Share on other sites

6 hours ago, rotaru said:

From 93 software on 'Virus Total" only ONE detects this site as "malicious" (and is not ESET)

ESET.png

We did reach out to Netcraft and they have rescanned the site and they confirmed the issue was resolved (email attached).

We run both Jetpack and Wordfence website scans which confirm no malicious code detected or present, we also flushed any cache from cloud flare. Searching for "onload=' (function ()" also did not bring up anything out of the ordinary.

What are other steps we can run? Thanks!

 

Email.png

Link to comment
Share on other sites

25 minutes ago, BTECH said:

We did reach out to Netcraft and they have rescanned the site and they confirmed the issue was resolved (email attached).

What the poster of the VT results did not do was perform a web site re-scan. The results he posted are 3 months old.

When I did a rescan at VT a few hours ago, NetCraft showed no detections. I assume the previous NetCraft detection was removed some time ago.

Note that VT web site analysis is static for vendors posted there. They are not performing detailed dynamic analysis such as analyzing malicious javascript code as Eset installed web access product scanning does.

Edited by itman
Link to comment
Share on other sites

1 hour ago, Marcos said:

It's still there:

image.png

This was traced back to a HTML block in the Wordpress theme, either way - the block has been deleted.

Please confirm that the issue is resolved - thank you for your help.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...