Jump to content

Possible false positive on web site detection


JimChev3
Go to solution Solved by Marcos,

Recommended Posts

One of my employees visits a web site regularly for information. The web site is www[.]perrysburgtownship[.]us. Starting this week, whenever she tries to go there, ESET triggers a JS/Agent.PIV detection on what appears to be every .js file on their web site. I tried to verify that detection independently of ESET, but the only other thing I've found that triggers on it is Sucuri, which also has a write-up about what's it's detecting at https://blog.sucuri.net/2022/06/analysis-massive-ndsw-ndsx-malware-campaign.html. Sucuri is triggering specifically on a piece of js code: "if(ndsw===" break inserted by me to prevent any detections on the string in question "undefined)". No one else is detecting malware on this site, but the write-up by Sucuri was written back in June, 2022, so this isn't something new that might not be detected yet by other scanners.

I've also visited the site in an isolated Windows notebook outside of our firewall with only Windows Defender on it to see if anything untoward seemed to happen and nothing appeared to be going on. I also tried with a Linux Mint notebook under similarly safe circumstances. I'm hesitant to contact the webmaster of the site about the problem since only you and Sucuri are saying there is one. Can you guys check this and see if it's actually malware embedded on the site or simply a coincidence that this site uses that particular snippet of code? I've attached a screen shot of the detection info from ESET (just one of the occurrences).

Thank you.

DetectionInfo.png

Link to comment
Share on other sites

  • Administrators
  • Solution

The website was compromised. Searching for "I: 0xaf" in the html files should help an admin locate the malicious JS.

Link to comment
Share on other sites

Really? What did you run Virustotal against? I ran the URL check against the main web site URL (the one I listed in my original email) and it came back clean. I just ran it again and got the same results. I'd love to be able to point to something more than just you and Sucuri when talking to the web admin about it.

Link to comment
Share on other sites

Ah, I was just asking it to scan the URL. I've forwarded all your information on to someone at that township. Again, thank you so much for your help!

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...