JS/Agent.RAN

[milos85 0]

blocked our website wordpress, https://obedovemenunz.sk/ can you help us, how to fix it, what to look for?
Well thank you .

[Marcos 5,189]

The website was compromised and contains a malicious JS detected by ESET.

Searching for "iz.fromCharCode" should help you locate the offending JS. Make sure to update WordPress as well as all plugins you use to the latest version.

[Abajo855 1]

My website use the same theme and was flagged for the same error.

[Marcos 5,189]

1 minute ago, Abajo855 said:

My website use the same theme and was flagged for the same error.

What website is it?

[Abajo855 1]

https://www.asiaticafilmmediale.it/

This is my website. I updated the theme as suggested in the previous post but didn't fix the issue

[Marcos 5,189]

14 minutes ago, Abajo855 said:

This is my website. I updated the theme as suggested in the previous post but didn't fix the issue

Please see my advise above. Searching for "iz.fromCharCode" should help you locate the offending JS.  Don't forget to update WordPress and plugins too.

[Abajo855 1]

Quote

 the problem is in the tagdiv composer plugin. I found a quick-fix. This is not a permanent solution, but it works quickly:
wp-content/plugins/td-composer/css-live/css-live.php line: 142 where is <style id="tdw-css-placeholder">. Just delete code between <style id="tdw-css-placeholder"> and ending </style>

...of course if you don't need to use it.

Found and sharing this solution

[Dario 0]

Hello,

my company site is also affected with JS/Agent.RAN. Any help would be appreciated. 

www.virovitica.hr

[Marcos 5,189]

3 hours ago, Dario said:

my company site is also affected with JS/Agent.RAN. Any help would be appreciated. 

www.virovitica.hr

Searching for "iz.fromCharCode" should help you locate the malicious JS.

Also make sure to update WordPress as well as all plugins you use and scan all files with ESET to make sure no other malware is detected.

[SeriousHoax 85]

Hi @Marcos! Wondering what this particular malicious script does? Does it redirect to malvertisements or something else? 

[Champion 0]

Our two sites were also compromised with this malware and got blocked by ESET. We cleared it by updating the older Newspaper theme, that uses the vulnerable tagDiv Composer plugin, and also updated Wordpress with the rest of the plugins. Can you therefore unblock us please for the following sites:

- https://www.potnik.si

- https://www.zdravo.si

Thank you

[Marcos 5,189]

50 minutes ago, Champion said:

Our two sites were also compromised with this malware and got blocked by ESET. We cleared it by updating the older Newspaper theme, that uses the vulnerable tagDiv Composer plugin, and also updated Wordpress with the rest of the plugins. Can you therefore unblock us please for the following sites:

- https://www.potnik.si

- https://www.zdravo.si

I confirm the websites are clean now, will be unblocked shortly.

[novice12 0]

Please unblock the novice.si website. the error is the same as above.

[Marcos 5,189]

9 hours ago, novice12 said:

Please unblock the novice.si website. the error is the same as above.

It is not blacklisted, however, it's still infected and JS/Agent.RAW trojan is detected.

[Black20232023 0]

Hello, can you move donjastubica.hr from black list? We have made update wp, theme, and plugins. TNX

[Marcos 5,189]

8 minutes ago, Black20232023 said:

Hello, can you move donjastubica.hr from black list? We have made update wp, theme, and plugins. TNX

The website indeed appears to have been cleaned and no malware was detected while browsing it. It is not blacklisted by ESET:
https://www.virustotal.com/gui/url/a73fb31e85a3849d9148ed1d65f609336fa08a743b6c21583d0522a6aaaedc1e?nocache=1

[BNM 0]

Hi,

My website https://bnm-portal.com is up to date with WordPress and all plugins. Still has this issue:

Threat: JS/Agent.RAW trojan Access to the web page has been blocked Also scanned with Sucuri and no threrats found. Coluld you remove it from blacklist?

[Marcos 5,189]

19 minutes ago, BNM said:

My website https://bnm-portal.com is up to date with WordPress and all plugins. Still has this issue:

Threat: JS/Agent.RAW trojan Access to the web page has been blocked Also scanned with Sucuri and no threrats found. Coluld you remove it from blacklist?

The website is not blacklisted by ESET. However, I was unable to reproduce the detected either. Are you still getting the detection? On what page / url?

[BNM 0]

On 9/21/2023 at 5:01 PM, Abajo855 said:

Found and sharing this solution

Marcos, I followed this suggestion also. Not getting detection anymore.

Edited September 25, 2023 by BNM

[Black20232023 0]

My page donjastubica.hr is complete update, so please move from black list

[Geovan Bottoni 0]

hello. good morning everything is fine?

I need help with the website https://www.mundonovo.ms.gov.br/
the message JS/Agent.RAW trojan also appears.
however, checking the website https://www.virustotal.com/gui/url/ec64aed7359924af611faac17ab9dd9567d1b1efd0c1af2f87c6f10b3584a3f1/detection
it does not appear in the ESET category, but in our organization it continues to block access.
Thank you very much in advance
Att

[PatrikZitko 0]

Hi, our customers page was blacklisted too. @Marcos could you recheck? Did you found any solution for it? Mentioned above is not applicable for us.   https://monitoringmsp.sk

[thomaso84 0]

Dear ESET Team,

On EU-Startups.com we had the same issue but we cleaned everything. Please unblock our site asap.

Thank you!

Thomas

[Marcos 5,189]

1 hour ago, PatrikZitko said:

Hi, our customers page was blacklisted too. @Marcos could you recheck? Did you found any solution for it? Mentioned above is not applicable for us.   https://monitoringmsp.sk

It is still infected:

[Marcos 5,189]

1 hour ago, Geovan Bottoni said:

I need help with the website 

mundonovo.ms.gov.br
the message JS/Agent.RAW trojan also appears.
however, checking the website https://www.virustotal.com/gui/url/ec64aed7359924af611faac17ab9dd9567d1b1efd0c1af2f87c6f10b3584a3f1/detection
it does not appear in the ESET category, but in our organization it continues to block access.

The detection is correct. Please read through this topic, my hints above should help you locate the malicious JS in the WP database. Also make sure to update WordPress as well as all plugins and themes you use.