BTECH 0 Posted June 20, 2022 Share Posted June 20, 2022 Our e-commerce website is being blocked by ESET for a false positive for malware. (JS/Spy.Banker.KJ). Please help us remove the false positive and whitelist the website: https://baofengtech.com Thank you Link to comment Share on other sites More sharing options...
Administrators Marcos 5,257 Posted June 21, 2022 Administrators Share Posted June 21, 2022 The detection is correct. Searching for "onload=' (function ()" should help you locate the malicious JavaScript. Link to comment Share on other sites More sharing options...
rotaru 10 Posted June 21, 2022 Share Posted June 21, 2022 1 hour ago, Marcos said: The detection is correct. From 93 software on 'Virus Total" only ONE detects this site as "malicious" (and is not ESET) Link to comment Share on other sites More sharing options...
Administrators Marcos 5,257 Posted June 21, 2022 Administrators Share Posted June 21, 2022 ESET did not blacklist the website but detect and blocks the malicious JS on it. Link to comment Share on other sites More sharing options...
itman 1,746 Posted June 21, 2022 Share Posted June 21, 2022 (edited) I will also note that since the server associated with this web site is deploying a web application firewall, scanning of the web site via public validation sources will not show the malware on the web site: Edited June 21, 2022 by itman Link to comment Share on other sites More sharing options...
itman 1,746 Posted June 21, 2022 Share Posted June 21, 2022 (edited) I would also strongly advise appropriate web site temporary mitigations be deployed until this matter is resolved: Quote Technical Details Trojan-Spy:W32/Banker is a large family of data-stealing trojans. Banker variants attempt to steal access information for various online banking and payment system websites. Details stolen include login credentials, passwords, PINs and so on. The stolen information is usually uploaded to a hacker's website using a webform. The most vulnerable users are those whose logins and passwords for sensitive online banking or payment accounts remain static at each login session. For this reason, many online banking websites are changing their security processes to use one-time passwords that expire after being used once. https://www.f-secure.com/v-descs/trojan-spy_w32_banker.shtml Edited June 21, 2022 by itman Link to comment Share on other sites More sharing options...
BTECH 0 Posted June 21, 2022 Author Share Posted June 21, 2022 6 hours ago, rotaru said: From 93 software on 'Virus Total" only ONE detects this site as "malicious" (and is not ESET) We did reach out to Netcraft and they have rescanned the site and they confirmed the issue was resolved (email attached). We run both Jetpack and Wordfence website scans which confirm no malicious code detected or present, we also flushed any cache from cloud flare. Searching for "onload=' (function ()" also did not bring up anything out of the ordinary. What are other steps we can run? Thanks! Link to comment Share on other sites More sharing options...
Administrators Marcos 5,257 Posted June 21, 2022 Administrators Share Posted June 21, 2022 It's still there: Link to comment Share on other sites More sharing options...
itman 1,746 Posted June 21, 2022 Share Posted June 21, 2022 (edited) 25 minutes ago, BTECH said: We did reach out to Netcraft and they have rescanned the site and they confirmed the issue was resolved (email attached). What the poster of the VT results did not do was perform a web site re-scan. The results he posted are 3 months old. When I did a rescan at VT a few hours ago, NetCraft showed no detections. I assume the previous NetCraft detection was removed some time ago. Note that VT web site analysis is static for vendors posted there. They are not performing detailed dynamic analysis such as analyzing malicious javascript code as Eset installed web access product scanning does. Edited June 21, 2022 by itman Link to comment Share on other sites More sharing options...
BTECH 0 Posted June 21, 2022 Author Share Posted June 21, 2022 1 hour ago, Marcos said: It's still there: This was traced back to a HTML block in the Wordpress theme, either way - the block has been deleted. Please confirm that the issue is resolved - thank you for your help. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,257 Posted June 21, 2022 Administrators Share Posted June 21, 2022 I've tried browsing the website and no alert was generated so it looks clean now. Link to comment Share on other sites More sharing options...
BTECH 0 Posted June 21, 2022 Author Share Posted June 21, 2022 Thank you for your assistance! Link to comment Share on other sites More sharing options...
Recommended Posts