Jump to content

Wordpress: JS/Agent.RFP Trojan detected


Recommended Posts

Hello Eset Support,

We are facing problems with our wordpress website since yesterday because a Trojan in our website. Is blocked by Eset Antivirus in the web browser.

www.ayr.es

JS/Agent.RFQ Trojan

Could you suggest actions to solve this issue?

Thank you so much,

Link to comment
Share on other sites

Hi Marcos,

It's weird. Following your detection I found a the origin in LiteSpeed Plugin. 

I disabled and It worked for me... but there are some computers still detecting Trojan and others accesing without problem.

My computer, for exmaple, is working fine:

image.png.2cc470536156622d255adeab59ccafd6.png

 

But in the same local network, with the same ESET antivirus, refreshing, without caché... there are still Torjan detections.

I think antivirus should be the same for everyone, right? 

Detection should be general or shouldn't be detected in general.

I'm wrong?

 

Link to comment
Share on other sites

Hi Marcos,

Thank you for the track, but I don't understand.

In the same computer, my computer, I'm facing:

- chrome -> works perfectly

- firefox -> doesn't work

ESET works different in function of the browser? (same computer)

ESET works different in different computers inside the same local netkwork? (50% works, 50% don't)

That's my concern.

Thank you so much for the support.

 

Link to comment
Share on other sites

  • Administrators

I don't understand. I've tested it and the malware is detected both in Chrome and Firefox. A scan with Sucuri shows the malicious JS and that should help you locate it and remove it.

Link to comment
Share on other sites

Hi Marcos,

As you can see in the screenshot, works on different ways in function of web browser. Screenshot taken it right now.

image.thumb.png.417ffcd4482ecb4500c9ab8c28f79b97.png

 

 

When you say Securi scan, you mean the link you shared pointing to especial-alquileres/?

Thanks

Link to comment
Share on other sites

  • Administrators

It doesn't matter after all, the point is malware is there. Even a Sucuri scan shows it as you can see in my link above.

Link to comment
Share on other sites

Dear itman,

 

I don't understand the problem, even, sucuri (as Marcos suggested) told me (this weekend) there is not any malware sign. You can see the analyctics from SUCURI below:

image.thumb.png.59e43c41908cc4fb3ef276326ccb8c7e.png

 

Marcos said sucuri was detecting malware, and sucuri didn't say the same.

Could you check the issue, please?

Regards,

Link to comment
Share on other sites

6 hours ago, JLF said:

I don't understand the problem, even, sucuri (as Marcos suggested) told me (this weekend) there is not any malware sign. You can see the analyctics from SUCURI below:

The Sucuri link @Marcos posted above: https://sitecheck.sucuri.net/results/https/ayr.es/blog/category/especial-alquileres/ now scans clean at Sucuri. However, this is for a sub-domain on your web site.

Sucuri still finds malware on your home web page domain: https://sitecheck.sucuri.net/results/https/ayr.es .

Link to comment
Share on other sites

  • Marcos changed the title to Wordpress: JS/Agent.RFP Trojan detected

Dear itman, Marcos

Sorry but I don't understand anything. It's my fault, surely, but:

itman said:

The Sucuri link @Marcos posted above: https://sitecheck.sucuri.net/results/https/ayr.es/blog/category/especial-alquileres/ now scans clean at Sucuri. However, this is for a sub-domain on your web site.

Link from Marcos ITs NOT A SUBDOMAIN. It's a domain ayr.es/blog/whatever

The domain we can't access is ayr.es, the main domain.

Actually, if you wanna try a subdomain from the same server, try -> pqslh.ayr.es This is really a subdomain and its working properly.

 

Following this clue. The domian we can't access is www.ayr.es, NOT ANY SUBDOMAIN.

We ran sucuri over www.ayr.es (the domain we can't access), and the results are negative as I posted above.

Sorry but I don't understand the blocklisted on ESET.

if you access to: www.ayr.es -> FAILs (in Firefox, I can access in Chrome... that's another thing). It's not a subdomain. And if you analyze www.ayr.es using sucuri ON the same domain, SUCURI says everything is OK. 

I have SUCURI running over this domain since Friday.

The screenshoot is captured right now. You can see the domain (top-left).

image.thumb.png.7cddad53636d44e8b26fbc66d1d26e79.png

 

 

So, the question is... I use Sucuri and says ayr.es is clean. You use Sucuri and, it seems that says, ayr.es is infected... honestly I don't know what to do right now. I'm trying to use the same tools you told me with different results.

I know the easy way of solving this issue with ESET, but sometimes you face some things to improve. I'm trying to cooperate in order to find the problem but, honestly, information from both sides is contradictory.

 

 

 

Link to comment
Share on other sites

40 minutes ago, JLF said:

We ran sucuri over www.ayr.es (the domain we can't access), and the results are negative as I posted above.

Wrong. The web site is infected;

Eset_Malware.thumb.png.82311609c4ef573a0c7465dd99fad3cc.png

I had to add the "/* to the domain to prevent Eset from triggering a malware detection on www.ayr.es prior to access to Sucuri web site,

Link to comment
Share on other sites

49 minutes ago, JLF said:

So, the question is... I use Sucuri and says ayr.es is clean. You use Sucuri and, it seems that says, ayr.es is infected... honestly I don't know what to do right now.

Engage Sucuri, Quttera, or another web site cleanup provider to clean your web site of malware.

Link to comment
Share on other sites

  • Administrators

More web pages are infected on the website, below are just some of them. If ESET detect malware on the main website and display a red web page with a warning, malware on other pages won't be detected and logged because access to the whole website was blocked.

image.png

Link to comment
Share on other sites

Here's a second opinion via PCRisk that deploys Quttera's web site malware scanner. Unlike Sucuri, Quttera will scan your entire web site. With the amount of malware noted, I would say you need professional help cleaning your web site;

Eset_PCRisk.thumb.png.264b679de454652373953bd0009de98a.png

https://scanner.pcrisk.com/detailed_report/www.ayr.es#details

Edited by itman
Link to comment
Share on other sites

Dear itman,

Thank you for your support and interest.

I'm talking to Sucuri in order to find the problems/issues/infections.

I will post the results here.

Regards,

Link to comment
Share on other sites

Hi All,

Sorry my English,,,

I succesfully remove this mailware.
STEPS

1, Open the phpmyadmin, and export all database table to simple txt, check on export options "Separated files"

2 Save the ziiped database, and extract.

3. Open TotalCommander, and find in directory this text sample "60,115,99,114,105,112,116,62,118" without "

4 If found text (suggested: in wp_options table) find the first number, this is the row ID

5 Open this table in phpmyadmin, and find option_ID  value, padte the copied row id

6 DELETE this row from table.

HURRY!!!!!!!

If totalcommander not found any text, visit the sucuri.net, scan your domain, and click "More Details" in result (if found)
Copy the text for sample, and GO to STEP 3

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...