BTECH 0 Posted June 20 Share Posted June 20 Our e-commerce website is being blocked by ESET for a false positive for malware. (JS/Spy.Banker.KJ). Please help us remove the false positive and whitelist the website: https://baofengtech.com Thank you Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,243 Posted June 21 Administrators Share Posted June 21 The detection is correct. Searching for "onload=' (function ()" should help you locate the malicious JavaScript. Quote Link to comment Share on other sites More sharing options...
rotaru 3 Posted June 21 Share Posted June 21 1 hour ago, Marcos said: The detection is correct. From 93 software on 'Virus Total" only ONE detects this site as "malicious" (and is not ESET) Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,243 Posted June 21 Administrators Share Posted June 21 ESET did not blacklist the website but detect and blocks the malicious JS on it. Quote Link to comment Share on other sites More sharing options...
itman 1,398 Posted June 21 Share Posted June 21 (edited) I will also note that since the server associated with this web site is deploying a web application firewall, scanning of the web site via public validation sources will not show the malware on the web site: Edited June 21 by itman Quote Link to comment Share on other sites More sharing options...
itman 1,398 Posted June 21 Share Posted June 21 (edited) I would also strongly advise appropriate web site temporary mitigations be deployed until this matter is resolved: Quote Technical Details Trojan-Spy:W32/Banker is a large family of data-stealing trojans. Banker variants attempt to steal access information for various online banking and payment system websites. Details stolen include login credentials, passwords, PINs and so on. The stolen information is usually uploaded to a hacker's website using a webform. The most vulnerable users are those whose logins and passwords for sensitive online banking or payment accounts remain static at each login session. For this reason, many online banking websites are changing their security processes to use one-time passwords that expire after being used once. https://www.f-secure.com/v-descs/trojan-spy_w32_banker.shtml Edited June 21 by itman Quote Link to comment Share on other sites More sharing options...
BTECH 0 Posted June 21 Author Share Posted June 21 6 hours ago, rotaru said: From 93 software on 'Virus Total" only ONE detects this site as "malicious" (and is not ESET) We did reach out to Netcraft and they have rescanned the site and they confirmed the issue was resolved (email attached). We run both Jetpack and Wordfence website scans which confirm no malicious code detected or present, we also flushed any cache from cloud flare. Searching for "onload=' (function ()" also did not bring up anything out of the ordinary. What are other steps we can run? Thanks! Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,243 Posted June 21 Administrators Share Posted June 21 It's still there: Quote Link to comment Share on other sites More sharing options...
itman 1,398 Posted June 21 Share Posted June 21 (edited) 25 minutes ago, BTECH said: We did reach out to Netcraft and they have rescanned the site and they confirmed the issue was resolved (email attached). What the poster of the VT results did not do was perform a web site re-scan. The results he posted are 3 months old. When I did a rescan at VT a few hours ago, NetCraft showed no detections. I assume the previous NetCraft detection was removed some time ago. Note that VT web site analysis is static for vendors posted there. They are not performing detailed dynamic analysis such as analyzing malicious javascript code as Eset installed web access product scanning does. Edited June 21 by itman Quote Link to comment Share on other sites More sharing options...
BTECH 0 Posted June 21 Author Share Posted June 21 1 hour ago, Marcos said: It's still there: This was traced back to a HTML block in the Wordpress theme, either way - the block has been deleted. Please confirm that the issue is resolved - thank you for your help. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,243 Posted June 21 Administrators Share Posted June 21 I've tried browsing the website and no alert was generated so it looks clean now. Quote Link to comment Share on other sites More sharing options...
BTECH 0 Posted June 21 Author Share Posted June 21 Thank you for your assistance! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.