mansour iranmanesh 0 Posted July 2 Posted July 2 Hello, have a good day I have a problem and I am facing the following error in my antivirus a threat (js/agent.rrl) was found google chrome tried to access a website (jahancablearka.com) This site is for me, but since today Anti Veserus gets stuck on all js files and blocks them Thank you for guiding me
Administrators Marcos 5,455 Posted July 2 Administrators Posted July 2 You've probably made a typo since jahancablearka.com domain doesn't exist.
itman 1,802 Posted July 2 Posted July 2 (edited) This is a strange one. The web site exists as noted here: https://www.robtex.com/dns-lookup/jahancablearka.com . However, it won't resolve in browser (Firefox) nor is it accessible at sucuri.com. My guess is this web site is being geographically restricted to access within Iran only. Edited July 2 by itman
itman 1,802 Posted July 2 Posted July 2 Is this a HTTP only web site? The HTTP web site was accessed at VirusTotal and scans clean: https://www.virustotal.com/gui/url/3feead69cac521e96ce4d6c363be92c3055d583b43760874f9be1ccd255edeb3 . Even after disabling HTTPS always option in Firefox, it still will only attempt access via HTTPS which fails.
Administrators Marcos 5,455 Posted July 2 Administrators Posted July 2 12 minutes ago, itman said: The HTTP web site was accessed at VirusTotal and scans clean: https://www.virustotal.com/gui/url/3feead69cac521e96ce4d6c363be92c3055d583b43760874f9be1ccd255edeb3 . That only means VirtusTotal queried AV scanners to find out if the url is on their blacklists. It didn't attempt to access the site.
itman 1,802 Posted July 2 Posted July 2 (edited) 41 minutes ago, Marcos said: That only means VirtusTotal queried AV scanners to find out if the url is on their blacklists. It didn't attempt to access the site. Yes, I realize that. My point was VT was able to access the site under HTTP criteria. When I try to do so in Firefox, it will redirect to HTTPS even with HTTPS only disabled. Edited July 2 by itman
itman 1,802 Posted July 2 Posted July 2 I also performed tracert and nslookup on this domain and both failed. As such, this is not a publicly registered domain. This also means since the domain cannot be accessed via the Internet, it's impossible to diagnosis the malicious script Eset is detecting.
Administrators Marcos 5,455 Posted July 3 Administrators Posted July 3 Surely it's not a false positive and the detected web page contains a malicious JS.
mansour iranmanesh 0 Posted July 3 Author Posted July 3 It blocks all my accesses and blocks all js files both on the website and in the site admin Do you have any suggestions?
Administrators Marcos 5,455 Posted July 3 Administrators Posted July 3 An administrator of the website should find and remove the malicious JavaScript. As for the screenshot of VT results, you are comparing apples with oranges, ie. url blacklists with malware detection in html/js files. You can supply logs collected with ESET Log Collector and I'll provide you with the exact malicious code that should be removed.
Recommended Posts