JLF 0 Posted November 17, 2023 Share Posted November 17, 2023 Hello Eset Support, We are facing problems with our wordpress website since yesterday because a Trojan in our website. Is blocked by Eset Antivirus in the web browser. www.ayr.es JS/Agent.RFQ Trojan Could you suggest actions to solve this issue? Thank you so much, Link to comment Share on other sites More sharing options...
Administrators Marcos 5,085 Posted November 17, 2023 Administrators Share Posted November 17, 2023 The detection is correct: Link to comment Share on other sites More sharing options...
JLF 0 Posted November 17, 2023 Author Share Posted November 17, 2023 Hi Marcos, It's weird. Following your detection I found a the origin in LiteSpeed Plugin. I disabled and It worked for me... but there are some computers still detecting Trojan and others accesing without problem. My computer, for exmaple, is working fine: But in the same local network, with the same ESET antivirus, refreshing, without caché... there are still Torjan detections. I think antivirus should be the same for everyone, right? Detection should be general or shouldn't be detected in general. I'm wrong? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,085 Posted November 17, 2023 Administrators Share Posted November 17, 2023 This should help: https://sitecheck.sucuri.net/results/https/ayr.es/blog/category/especial-alquileres/ Link to comment Share on other sites More sharing options...
JLF 0 Posted November 17, 2023 Author Share Posted November 17, 2023 Hi Marcos, Thank you for the track, but I don't understand. In the same computer, my computer, I'm facing: - chrome -> works perfectly - firefox -> doesn't work ESET works different in function of the browser? (same computer) ESET works different in different computers inside the same local netkwork? (50% works, 50% don't) That's my concern. Thank you so much for the support. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,085 Posted November 17, 2023 Administrators Share Posted November 17, 2023 I don't understand. I've tested it and the malware is detected both in Chrome and Firefox. A scan with Sucuri shows the malicious JS and that should help you locate it and remove it. Link to comment Share on other sites More sharing options...
JLF 0 Posted November 17, 2023 Author Share Posted November 17, 2023 Hi Marcos, As you can see in the screenshot, works on different ways in function of web browser. Screenshot taken it right now. When you say Securi scan, you mean the link you shared pointing to especial-alquileres/? Thanks Link to comment Share on other sites More sharing options...
Administrators Marcos 5,085 Posted November 17, 2023 Administrators Share Posted November 17, 2023 It doesn't matter after all, the point is malware is there. Even a Sucuri scan shows it as you can see in my link above. Link to comment Share on other sites More sharing options...
itman 1,667 Posted November 17, 2023 Share Posted November 17, 2023 2 hours ago, JLF said: firefox -> doesn't work Eset detects on my installed Firefox browser; Link to comment Share on other sites More sharing options...
JLF 0 Posted November 20, 2023 Author Share Posted November 20, 2023 Dear itman, I don't understand the problem, even, sucuri (as Marcos suggested) told me (this weekend) there is not any malware sign. You can see the analyctics from SUCURI below: Marcos said sucuri was detecting malware, and sucuri didn't say the same. Could you check the issue, please? Regards, Link to comment Share on other sites More sharing options...
itman 1,667 Posted November 20, 2023 Share Posted November 20, 2023 6 hours ago, JLF said: I don't understand the problem, even, sucuri (as Marcos suggested) told me (this weekend) there is not any malware sign. You can see the analyctics from SUCURI below: The Sucuri link @Marcos posted above: https://sitecheck.sucuri.net/results/https/ayr.es/blog/category/especial-alquileres/ now scans clean at Sucuri. However, this is for a sub-domain on your web site. Sucuri still finds malware on your home web page domain: https://sitecheck.sucuri.net/results/https/ayr.es . Link to comment Share on other sites More sharing options...
JLF 0 Posted November 20, 2023 Author Share Posted November 20, 2023 Dear itman, Marcos Sorry but I don't understand anything. It's my fault, surely, but: itman said: The Sucuri link @Marcos posted above: https://sitecheck.sucuri.net/results/https/ayr.es/blog/category/especial-alquileres/ now scans clean at Sucuri. However, this is for a sub-domain on your web site. Link from Marcos ITs NOT A SUBDOMAIN. It's a domain ayr.es/blog/whatever The domain we can't access is ayr.es, the main domain. Actually, if you wanna try a subdomain from the same server, try -> pqslh.ayr.es This is really a subdomain and its working properly. Following this clue. The domian we can't access is www.ayr.es, NOT ANY SUBDOMAIN. We ran sucuri over www.ayr.es (the domain we can't access), and the results are negative as I posted above. Sorry but I don't understand the blocklisted on ESET. if you access to: www.ayr.es -> FAILs (in Firefox, I can access in Chrome... that's another thing). It's not a subdomain. And if you analyze www.ayr.es using sucuri ON the same domain, SUCURI says everything is OK. I have SUCURI running over this domain since Friday. The screenshoot is captured right now. You can see the domain (top-left). So, the question is... I use Sucuri and says ayr.es is clean. You use Sucuri and, it seems that says, ayr.es is infected... honestly I don't know what to do right now. I'm trying to use the same tools you told me with different results. I know the easy way of solving this issue with ESET, but sometimes you face some things to improve. I'm trying to cooperate in order to find the problem but, honestly, information from both sides is contradictory. Link to comment Share on other sites More sharing options...
itman 1,667 Posted November 20, 2023 Share Posted November 20, 2023 40 minutes ago, JLF said: We ran sucuri over www.ayr.es (the domain we can't access), and the results are negative as I posted above. Wrong. The web site is infected; I had to add the "/* to the domain to prevent Eset from triggering a malware detection on www.ayr.es prior to access to Sucuri web site, Link to comment Share on other sites More sharing options...
itman 1,667 Posted November 20, 2023 Share Posted November 20, 2023 49 minutes ago, JLF said: So, the question is... I use Sucuri and says ayr.es is clean. You use Sucuri and, it seems that says, ayr.es is infected... honestly I don't know what to do right now. Engage Sucuri, Quttera, or another web site cleanup provider to clean your web site of malware. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,085 Posted November 20, 2023 Administrators Share Posted November 20, 2023 More web pages are infected on the website, below are just some of them. If ESET detect malware on the main website and display a red web page with a warning, malware on other pages won't be detected and logged because access to the whole website was blocked. Link to comment Share on other sites More sharing options...
itman 1,667 Posted November 20, 2023 Share Posted November 20, 2023 (edited) Here's a second opinion via PCRisk that deploys Quttera's web site malware scanner. Unlike Sucuri, Quttera will scan your entire web site. With the amount of malware noted, I would say you need professional help cleaning your web site; https://scanner.pcrisk.com/detailed_report/www.ayr.es#details Edited November 20, 2023 by itman Link to comment Share on other sites More sharing options...
JLF 0 Posted November 21, 2023 Author Share Posted November 21, 2023 Dear itman, Thank you for your support and interest. I'm talking to Sucuri in order to find the problems/issues/infections. I will post the results here. Regards, Link to comment Share on other sites More sharing options...
DTB 0 Posted November 23, 2023 Share Posted November 23, 2023 Hi All, Sorry my English,,, I succesfully remove this mailware. STEPS 1, Open the phpmyadmin, and export all database table to simple txt, check on export options "Separated files" 2 Save the ziiped database, and extract. 3. Open TotalCommander, and find in directory this text sample "60,115,99,114,105,112,116,62,118" without " 4 If found text (suggested: in wp_options table) find the first number, this is the row ID 5 Open this table in phpmyadmin, and find option_ID value, padte the copied row id 6 DELETE this row from table. HURRY!!!!!!! If totalcommander not found any text, visit the sucuri.net, scan your domain, and click "More Details" in result (if found) Copy the text for sample, and GO to STEP 3 Link to comment Share on other sites More sharing options...
Recommended Posts