aaroncalvo Posted February 6, 2019 ID:1297179 Share Posted February 6, 2019 (edited) I tested the file on virus total and malwarebytes was the only result that came back as an issue. The file was not updated in weeks and did not see this result prior https://www.virustotal.com/#/url-analysis/u-1bdf9586dd242be8f8a8a9d7c97c8738172fae7d5b215f91cb56a8343301613a-1549489523 home page showing clean = https://www.virustotal.com/#/url/1bdf9586dd242be8f8a8a9d7c97c8738172fae7d5b215f91cb56a8343301613a/detection the file in question loaded through header of page (so home page as well as others ) showing with issue = https://www.virustotal.com/#/url/f70c97d7147ecca94f32a63abd838fb1c4bd1fdacce39aa9aed65a67e5c389b2/detection I have attached the screenshot from a customer as well as the file that was mentioned by customer and the file from his screenshot. This was the customers comments: Quote Comment - Please get me in touch with your IT team. It looks like you have a piece of malicious Javascript running in your site. Looks to be a Trojan horse known as JS/Spy.Banker.DFmalicious URLShxxps://cdn6.arttoframe.com/notification/messaging/generateToken.js header_js_block.zip Edited February 7, 2019 by Dashke Link to post Share on other sites More sharing options...
Staff Solution Dashke Posted February 7, 2019 Staff Solution ID:1297257 Share Posted February 7, 2019 Thanks for the file. Can you please remove malicious files so we can remove the block? Link to post Share on other sites More sharing options...
aaroncalvo Posted February 7, 2019 Author ID:1297258 Share Posted February 7, 2019 Hi Dashke, That is the problem. Running it with the same file coming from a cdn instead of cdn6 shows no problem with that file. I have updated that on my site. Can you confirm? Link to post Share on other sites More sharing options...
Staff Dashke Posted February 7, 2019 Staff ID:1297262 Share Posted February 7, 2019 Thanks, the block will be reviewed. Link to post Share on other sites More sharing options...
Staff Dashke Posted February 8, 2019 Staff ID:1297457 Share Posted February 8, 2019 (edited) After our team reviewed the file, we concluded that it's definitely malicious, so the block will stay in place until the script has been removed from your website. Edited February 8, 2019 by Dashke Link to post Share on other sites More sharing options...
aaroncalvo Posted February 8, 2019 Author ID:1297459 Share Posted February 8, 2019 Thanks. The file and all it referances have been removed. thank you for finding it. Link to post Share on other sites More sharing options...
Staff Dashke Posted February 8, 2019 Staff ID:1297460 Share Posted February 8, 2019 Thanks, the block will be reviewed. Link to post Share on other sites More sharing options...
Recommended Posts