JimChev3 5 Posted March 3 Share Posted March 3 One of my employees visits a web site regularly for information. The web site is www[.]perrysburgtownship[.]us. Starting this week, whenever she tries to go there, ESET triggers a JS/Agent.PIV detection on what appears to be every .js file on their web site. I tried to verify that detection independently of ESET, but the only other thing I've found that triggers on it is Sucuri, which also has a write-up about what's it's detecting at https://blog.sucuri.net/2022/06/analysis-massive-ndsw-ndsx-malware-campaign.html. Sucuri is triggering specifically on a piece of js code: "if(ndsw===" break inserted by me to prevent any detections on the string in question "undefined)". No one else is detecting malware on this site, but the write-up by Sucuri was written back in June, 2022, so this isn't something new that might not be detected yet by other scanners. I've also visited the site in an isolated Windows notebook outside of our firewall with only Windows Defender on it to see if anything untoward seemed to happen and nothing appeared to be going on. I also tried with a Linux Mint notebook under similarly safe circumstances. I'm hesitant to contact the webmaster of the site about the problem since only you and Sucuri are saying there is one. Can you guys check this and see if it's actually malware embedded on the site or simply a coincidence that this site uses that particular snippet of code? I've attached a screen shot of the detection info from ESET (just one of the occurrences). Thank you. Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 4,935 Posted March 3 Administrators Solution Share Posted March 3 The website was compromised. Searching for "I: 0xaf" in the html files should help an admin locate the malicious JS. Link to comment Share on other sites More sharing options...
JimChev3 5 Posted March 3 Author Share Posted March 3 Thanks Marcos! Link to comment Share on other sites More sharing options...
Administrators Marcos 4,935 Posted March 3 Administrators Share Posted March 3 By the way, it's covered pretty well by other AVs too, 27/58 AVs detected it at Virustotal. Link to comment Share on other sites More sharing options...
JimChev3 5 Posted March 3 Author Share Posted March 3 Really? What did you run Virustotal against? I ran the URL check against the main web site URL (the one I listed in my original email) and it came back clean. I just ran it again and got the same results. I'd love to be able to point to something more than just you and Sucuri when talking to the web admin about it. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,935 Posted March 3 Administrators Share Posted March 3 I've scanned one of the detected files: https://www.virustotal.com/gui/file/5e3892ef96cae64186be63d224134bbac104138b5d99a02e502d4ecff170b13e Link to comment Share on other sites More sharing options...
JimChev3 5 Posted March 3 Author Share Posted March 3 Ah, I was just asking it to scan the URL. I've forwarded all your information on to someone at that township. Again, thank you so much for your help! Link to comment Share on other sites More sharing options...
Recommended Posts