JimChev3 9 Posted March 3, 2023 Share Posted March 3, 2023 One of my employees visits a web site regularly for information. The web site is www[.]perrysburgtownship[.]us. Starting this week, whenever she tries to go there, ESET triggers a JS/Agent.PIV detection on what appears to be every .js file on their web site. I tried to verify that detection independently of ESET, but the only other thing I've found that triggers on it is Sucuri, which also has a write-up about what's it's detecting at https://blog.sucuri.net/2022/06/analysis-massive-ndsw-ndsx-malware-campaign.html. Sucuri is triggering specifically on a piece of js code: "if(ndsw===" break inserted by me to prevent any detections on the string in question "undefined)". No one else is detecting malware on this site, but the write-up by Sucuri was written back in June, 2022, so this isn't something new that might not be detected yet by other scanners. I've also visited the site in an isolated Windows notebook outside of our firewall with only Windows Defender on it to see if anything untoward seemed to happen and nothing appeared to be going on. I also tried with a Linux Mint notebook under similarly safe circumstances. I'm hesitant to contact the webmaster of the site about the problem since only you and Sucuri are saying there is one. Can you guys check this and see if it's actually malware embedded on the site or simply a coincidence that this site uses that particular snippet of code? I've attached a screen shot of the detection info from ESET (just one of the occurrences). Thank you. Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 5,404 Posted March 3, 2023 Administrators Solution Share Posted March 3, 2023 The website was compromised. Searching for "I: 0xaf" in the html files should help an admin locate the malicious JS. Link to comment Share on other sites More sharing options...
JimChev3 9 Posted March 3, 2023 Author Share Posted March 3, 2023 Thanks Marcos! Link to comment Share on other sites More sharing options...
Administrators Marcos 5,404 Posted March 3, 2023 Administrators Share Posted March 3, 2023 By the way, it's covered pretty well by other AVs too, 27/58 AVs detected it at Virustotal. Link to comment Share on other sites More sharing options...
JimChev3 9 Posted March 3, 2023 Author Share Posted March 3, 2023 Really? What did you run Virustotal against? I ran the URL check against the main web site URL (the one I listed in my original email) and it came back clean. I just ran it again and got the same results. I'd love to be able to point to something more than just you and Sucuri when talking to the web admin about it. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,404 Posted March 3, 2023 Administrators Share Posted March 3, 2023 I've scanned one of the detected files: https://www.virustotal.com/gui/file/5e3892ef96cae64186be63d224134bbac104138b5d99a02e502d4ecff170b13e Link to comment Share on other sites More sharing options...
JimChev3 9 Posted March 3, 2023 Author Share Posted March 3, 2023 Ah, I was just asking it to scan the URL. I've forwarded all your information on to someone at that township. Again, thank you so much for your help! Link to comment Share on other sites More sharing options...
Recommended Posts