Wordpress: JS/Agent.RFP Trojan detected

[JLF 0]

Hello Eset Support,

We are facing problems with our wordpress website since yesterday because a Trojan in our website. Is blocked by Eset Antivirus in the web browser.

www.ayr.es

JS/Agent.RFQ Trojan

Could you suggest actions to solve this issue?

Thank you so much,

[Marcos 5,085]

The detection is correct:

[JLF 0]

Hi Marcos,

It's weird. Following your detection I found a the origin in LiteSpeed Plugin. 

I disabled and It worked for me... but there are some computers still detecting Trojan and others accesing without problem.

My computer, for exmaple, is working fine:

 

But in the same local network, with the same ESET antivirus, refreshing, without caché... there are still Torjan detections.

I think antivirus should be the same for everyone, right? 

Detection should be general or shouldn't be detected in general.

I'm wrong?

 

[Marcos 5,085]

This should help:

https://sitecheck.sucuri.net/results/https/ayr.es/blog/category/especial-alquileres/

[JLF 0]

Hi Marcos,

Thank you for the track, but I don't understand.

In the same computer, my computer, I'm facing:

- chrome -> works perfectly

- firefox -> doesn't work

ESET works different in function of the browser? (same computer)

ESET works different in different computers inside the same local netkwork? (50% works, 50% don't)

That's my concern.

Thank you so much for the support.

 

[Marcos 5,085]

I don't understand. I've tested it and the malware is detected both in Chrome and Firefox. A scan with Sucuri shows the malicious JS and that should help you locate it and remove it.

[JLF 0]

Hi Marcos,

As you can see in the screenshot, works on different ways in function of web browser. Screenshot taken it right now.

 

 

When you say Securi scan, you mean the link you shared pointing to especial-alquileres/?

Thanks

[Marcos 5,085]

It doesn't matter after all, the point is malware is there. Even a Sucuri scan shows it as you can see in my link above.

[itman 1,667]

2 hours ago, JLF said:

firefox -> doesn't work

Eset detects on my installed Firefox browser;

[JLF 0]

Dear itman,

 

I don't understand the problem, even, sucuri (as Marcos suggested) told me (this weekend) there is not any malware sign. You can see the analyctics from SUCURI below:

 

Marcos said sucuri was detecting malware, and sucuri didn't say the same.

Could you check the issue, please?

Regards,

[itman 1,667]

6 hours ago, JLF said:

I don't understand the problem, even, sucuri (as Marcos suggested) told me (this weekend) there is not any malware sign. You can see the analyctics from SUCURI below:

The Sucuri link @Marcos posted above: https://sitecheck.sucuri.net/results/https/ayr.es/blog/category/especial-alquileres/ now scans clean at Sucuri. However, this is for a sub-domain on your web site.

Sucuri still finds malware on your home web page domain: https://sitecheck.sucuri.net/results/https/ayr.es .

[JLF 0]

Dear itman, Marcos

Sorry but I don't understand anything. It's my fault, surely, but:

itman said:

The Sucuri link @Marcos posted above: https://sitecheck.sucuri.net/results/https/ayr.es/blog/category/especial-alquileres/ now scans clean at Sucuri. However, this is for a sub-domain on your web site.

Link from Marcos ITs NOT A SUBDOMAIN. It's a domain ayr.es/blog/whatever

The domain we can't access is ayr.es, the main domain.

Actually, if you wanna try a subdomain from the same server, try -> pqslh.ayr.es This is really a subdomain and its working properly.

 

Following this clue. The domian we can't access is www.ayr.es, NOT ANY SUBDOMAIN.

We ran sucuri over www.ayr.es (the domain we can't access), and the results are negative as I posted above.

Sorry but I don't understand the blocklisted on ESET.

if you access to: www.ayr.es -> FAILs (in Firefox, I can access in Chrome... that's another thing). It's not a subdomain. And if you analyze www.ayr.es using sucuri ON the same domain, SUCURI says everything is OK. 

I have SUCURI running over this domain since Friday.

The screenshoot is captured right now. You can see the domain (top-left).

 

 

So, the question is... I use Sucuri and says ayr.es is clean. You use Sucuri and, it seems that says, ayr.es is infected... honestly I don't know what to do right now. I'm trying to use the same tools you told me with different results.

I know the easy way of solving this issue with ESET, but sometimes you face some things to improve. I'm trying to cooperate in order to find the problem but, honestly, information from both sides is contradictory.

 

 

 

[itman 1,667]

40 minutes ago, JLF said:

We ran sucuri over www.ayr.es (the domain we can't access), and the results are negative as I posted above.

Wrong. The web site is infected;

I had to add the "/* to the domain to prevent Eset from triggering a malware detection on www.ayr.es prior to access to Sucuri web site,

[itman 1,667]

49 minutes ago, JLF said:

So, the question is... I use Sucuri and says ayr.es is clean. You use Sucuri and, it seems that says, ayr.es is infected... honestly I don't know what to do right now.

Engage Sucuri, Quttera, or another web site cleanup provider to clean your web site of malware.

[Marcos 5,085]

More web pages are infected on the website, below are just some of them. If ESET detect malware on the main website and display a red web page with a warning, malware on other pages won't be detected and logged because access to the whole website was blocked.

[itman 1,667]

Here's a second opinion via PCRisk that deploys Quttera's web site malware scanner. Unlike Sucuri, Quttera will scan your entire web site. With the amount of malware noted, I would say you need professional help cleaning your web site;

https://scanner.pcrisk.com/detailed_report/www.ayr.es#details

Edited November 20, 2023 by itman

[JLF 0]

Dear itman,

Thank you for your support and interest.

I'm talking to Sucuri in order to find the problems/issues/infections.

I will post the results here.

Regards,

[DTB 0]

Hi All,

Sorry my English,,,

I succesfully remove this mailware.
STEPS

1, Open the phpmyadmin, and export all database table to simple txt, check on export options "Separated files"

2 Save the ziiped database, and extract.

3. Open TotalCommander, and find in directory this text sample "60,115,99,114,105,112,116,62,118" without "

4 If found text (suggested: in wp_options table) find the first number, this is the row ID

5 Open this table in phpmyadmin, and find option_ID  value, padte the copied row id

6 DELETE this row from table.

HURRY!!!!!!!

If totalcommander not found any text, visit the sucuri.net, scan your domain, and click "More Details" in result (if found)
Copy the text for sample, and GO to STEP 3