Jump to content

How do I tell if a site is blocked by ESET or the warning is based on detection?

SimonG

By SimonG
in Malware Finding and Cleaning

 Share
Go to solution Solved by researcher,

Recommended Posts

SimonG

SimonG 0

Posted
Posted

Hi,

 

I tried to access www.touchtec.biz, a photocopier and printer support company, but ESET reports it:

 

Threat found

 

Access to the web page was blocked.
hxxp:// www.touchtec.biz

 

Threat: JS/TrojanDownloader.FakejQuery.B trojan

 

The company hasn't had any warnings from their webhost or webmaster, although they are obviously following up on this, so I wondered how you tell if a warning like this is based on a detection or because some sort of block/blacklist activity.  Any advice available?

 

Obviously if this is just a malicious report that's got them blacklisted they can follow the KB141 advice (thus proving I have read through the other forum posts!). :)

 

Thanks

 

From the log:

 

<?xml version="1.0" encoding="UTF-8"?>
-<ESET>
-<LOG>
-<RECORD>
<COLUMN NAME="Time">17/10/2016 12:05:26</COLUMN>
<COLUMN NAME="Scanner">HTTP filter</COLUMN>
<COLUMN NAME="Object type">file</COLUMN>
<COLUMN NAME="Object">hxxp://www.touchtec.biz</COLUMN>
<COLUMN NAME="Threat">JS/TrojanDownloader.FakejQuery.B trojan</COLUMN>
<COLUMN NAME="Action">connection terminated</COLUMN>
<COLUMN NAME="User">DESKTOP-J7NFCSF\Simon Goodair</COLUMN>
<COLUMN NAME="Information">Threat was detected upon access to web by the application: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe (8B808E34CABE32C18D7B1FFD110614DA92404EF2).</COLUMN>
<COLUMN NAME="Hash">7FBEBF4C3F36C6277E6EF1B4B2067599874B5786</COLUMN>
<COLUMN NAME="First seen here"/>
</RECORD>
</LOG>
</ESET>
Link to comment
Share on other sites
  • ESET Staff
  • Solution
researcher

researcher 11

Posted
  • ESET Staff
  • Solution
Posted

When you see name of detection signature / threat name, then the web-page is not blocked by blacklist but by specific detection.
 
The website was infected and following code was inserted to the website by hackers:
post-45-0-74554200-1476794499_thumb.png

 

When the website was infected, WordPress 4.5.3 was used.

I am glad that the admin not only removed the malicious script but WordPress was updated to recent 4.6.1 version.

 

That's my recommendation for other owners of infected websites. It is not enough to clean the bad code, the site must be secured to prevent future reinfections. At least older versions of CMS must be updated to recent versions.

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...