benstroud Posted September 13 ID:1660887 Share Posted September 13 (edited) Hello, I’m inquiring about a Malwarebytes plugin finding that was submitted by one of our customers when accessing our application/sites (targetsmart.com). Inspecting our applications/pages we do not find evidence of a trojan or malware. Please provide additional details so that we can further investigate. If that’s not possible, please immediately remove the block from your systems so that our clients that use your plugin aren’t seeing the malware warnings when accessing our applications. Finding examples from browser console: OM: (PAGE_BLOCK) malware (trojan) match found on https://targetsmart.com/the-targetsmart-voter-registration-dashboard/ for https://targetsmart.com/insights/. Database: {"trojan":"2.0.202409131405"} OM: (PAGE_BLOCK) malware (trojan) match found on https://targetsmart.com/shrinking-pool-of-swing-voters-data-tells-a-different-story/#respond for https://targetsmart.com/shrinking-pool-of-swing-voters-data-tells-a-different-story/#respond. Database: {"trojan":"2.0.202409131405"} OM: (PAGE_BLOCK) malware (trojan) match found on https://my.targetsmart.com/filebrowser/ for https://my.targetsmart.com/filebrowser/. Database: {"trojan":"2.0.202409131905"} Thanks Edited September 13 by AdvancedSetup Disabled hyperlinks Link to post
David H. Lipman Posted September 13 ID:1660891 Share Posted September 13 -Website Data- Category: Trojan Domain: targetsmart.com IP Address: 104.155.128.210 Port: 443 Type: Outbound File: C:\Program Files\Mozilla Firefox\firefox.exe Link to post
Staff TeMerc Posted September 13 Staff ID:1660894 Share Posted September 13 (edited) Hello- Potential Gootloader infection, the server must be checked and host contacted for any suspicious activities, VirusTotal - Domain - targetsmart.com: Edited September 13 by AdvancedSetup removed unneeded quote Link to post
benstroud Posted September 14 Author ID:1660931 Share Posted September 14 Thanks for the leads. We've tracked this down to the malware files being hosted not on the targetsmart.com domain (or subdomains) but another domain being hosted on the same WPEngine (managed WordPress) account sharing the same IP address. This is in the context of a parent company that uses WPEngine to host the corporate sites for its multiple child companies. We're working with WPEngine to track down which of these other domains/sites has the malware to resolve the issue. Link to post
benstroud Posted September 16 Author ID:1661253 Share Posted September 16 @TeMerc The parent company IT/security team is working on resolving the targetsmart.com/Wordpress/Gootloader issue. Would it be possible to remove the Malwarebytes browser plugin block for subdomains which are hosted separately from targetsmart.com? These have clean VirusTotal domain reports but are also being blocked by the plugin. They are all hosted on AWS (not using WordPress). The affected WordPress deployments are hosted separately on WPEngine. * https://www.virustotal.com/gui/domain/my.targetsmart.com/detection * https://www.virustotal.com/gui/domain/docs.targetsmart.com/detection * https://www.virustotal.com/gui/domain/visuals.targetsmart.com/detection * https://www.virustotal.com/gui/domain/transfer.targetsmart.com/detection * https://www.virustotal.com/gui/domain/api.targetsmart.com/detection * https://www.virustotal.com/gui/domain/transfer-web.targetsmart.com/detection * https://www.virustotal.com/gui/domain/privacy.targetsmart.com * https://www.virustotal.com/gui/domain/targetearly.targetsmart.com/detection Link to post
Solution benstroud Posted September 18 Author Solution ID:1661760 Share Posted September 18 Resolved in separate forum thread: Link to post
Recommended Posts