HTML/ScrInject.B trojan report in website by ESET

[garywang 0]

Hello 

Recently I got some reports by our site users that ESET is blocking there access to our website.

I use beyond compare to compare website scripts with local scripts, it is totally same.

The site was scanned with different websites and there are not showing any of those issues.

 

HTML/ScrInject.B trojan

Blocked address (maybe):

hxxp://www.mynoteskeeper.com/
hxxp://www.mynoteskeeper.com/.well-known

 

the .well-known contain  a acme-challenge folder and no any file.

 

How can we solve this issues ?

[Marcos 4,841]

I was able to open the website alright, nothing was detected or blocked. Please provide logs collected with ESET Log Collector.

[garywang 0]

Thanks for your reply, please check attachment.

eis_logs.zip

[Marcos 4,841]

There is a loader that loads a php from cdn.jsinit.directfwd.com, please remove it.

[garywang 0]

Thanks your reply, I pause ESET protection and find this script.

But I search my website and not found this script code, how to find and remove it?

[Marcos 4,841]

It appears that the script is served when 403 is returned by the server. Note that it's compressed with gzip so you can't find by searching for the link:

[garywang 0]

wow! thanks very much for your help.

I found any address return 403 or 404, it has the same problem in response.

I change .htaccess these line can avoid it

ErrorDocument 403 /err/403.htm
ErrorDocument 404 /err/404.htm

But I still no way to solve it completely.