Running wordpress locally (Xampp) to test the latest 4.4 version, my antivirus (Bitdefender) flagged this default wordpress file for quarantine and removal for "Trojan.Script.644049":
wp-includes\js\utils.min.js
Is this a case of my antivirus being sensitive or is this something bigger to be concerned with?
A little searching around and I found this discussion about the same issue ( I think).
https://en.forums.wordpress.com/topic/virus-trojanscript-644049-engine-a
Any input appreciated.
This webpage http://www.hartmann-hydro.de/wp-admin/load-scripts.php?c=1 &load%5B%5D=jquery-core,jquery-migrate,utils&ver=4.4 is identified as infected with Malware.
Virus name: Trojan.Script644049.
This message comes in Bitdefender on the client PC while working in the backend of WordPress. Bitdefender I have been informed. Error in WordPress 4.4 or with me?
Does all of my customer projects, which have been updated to 4.4
All of my sites (self-hosted) are triggering Trojan warnings from any WordPress Admin console page. Whenever I go to any admin page, BitDefender (our virus protection) gives a warning that there is a Trojan. Malware detection plugins and scans do not catch the Trojan because they cannot / do not access the admin pages.
One of sites: whichtestwon.com
The line that BitDefender blocks: <script type='text/javascript' src='https://whichtestwon.com/wp-admin/load-scripts.php?c=1&load%5B%5D=jquery-core,jquery-migrate,utils&ver=4.3.1'></script>
Anyone have any ideas?
<script
data-cfasync="false"
type="text/javascript"
src="//s7.addthis.com/js/300/addthis_widget.js#pubid=wp-47bcc257b2aeb6d3b74684a3c431cf31 "
async="async"
>
</script>this is the script above and the above jas shows that you have got trojan in this file. why do you add trojan? please remove it.
if i remove body_class in my theme, then the trojan code is gone. It only appears in IE (not firefox or chrome)
<body <?php body_class(); ?>>It is not coming from a plug-in, tried to disable them all.
the <script> look like this
<div class="wntgbvcfqhh">dtdzel, kjlasksdjj, } if etc. </script>;How can i remove this?
Yoast 3.0.7
I have Eset anti-virus. It is alerting me of a trojan in wp-seo-metabox-302.min.js.
Anybody else getting a similar alert?
Thanks!
I have downloaded a plugin for adding Google Analytics code to my site. I later discovered it was a scam, with someone else's source code and a tiny javascript source code appended to the end which attempts to download a darkleech trojan from myftp.org
I followed up with a review to warn others, and then tracked the author's other 'work'. As it turns out he has done the same with an SMTP Mail plugin, a Google Maps plugin, and a redirects plugin.
How and where do we report these offenders hiding in plain sight?
Hi a client's site was hacked recently, cannot get access to the admin page. Client had no security or maintenance plan in place.
Seems to be a either a htaccess issues and permalinks or/and virus issues.
Does anyone have any experience of dealing with this issue before?
We just built a new wordpress server, placed it in our DMZ and turned our website live.
Symantec is now detecting Backdoor.Trojan, and PHP.Backdoor.Trojan in the c:\windows\temp directory
When i run a securi scan, everything comes back clean
Has anyone experienced this issue before? I am trying to figure out if its detecting something that is real, or if its a false positive.
The scan will clean the "infection", and then a week later it detects and cleans it again
Hi, today my plugin was disabled, when I tried to copy it to backup, my antivirus blocked this file "widgets_on_pages.php" because it find a trojan horse named "php/Agent.GC".
I don't know if it's a real trojan, but i want to alert you.
I have removed the plug in and install it again, now i have solved the problem.
Hi all,
I got a mail from my hosting company that the website is having virus and I was shocked as I took all preventive measures and updated the plugins last week itself.
Then I tried running calmav and it detected Win.Trojan.Agent-1395367 in the official code file.
File: responsive-videos.min.js
Path: jetpack/modules/theme-tools/responsive-videos/responsive-videos.min.js
VT Scan Result - https://www.virustotal.com/en/file/1f6d3e09969916e203c940124ef19b654464ed322c756530e1bcb1267cc93e2c/analysis/1461085848/
AegisLab detects it as - Troj.Script.Gen!c
Hello,
maybe it is an false-positive Warning:
G-Data Internet Security found
TrojanScript657339 in
wbounce-backend.min.js
and moves this file in quarantaine.
I think it must be one of the last signature updates that invoke this warning, because last week I didn't have any warningson the same file...
Please have a look!
My provider told me that:
{CAV}Win.Trojan.Agent-1395005 in quick-pagepost-redirect-plugin/js/qppr_frontend_script.min.js
What happened?
https://wordpress.org/plugins/quick-pagepost-redirect-plugin/
Your plugin is infected with Win.Trojan.Agent-1395005.
File qppr_frontend_script.min.js is not minimized file of original file qppr_frontend_script.js
There is infected file content
! function(t) {
t(document).ready(function() {
function e(t, e) {
return "undefined" != typeof e[t] ? "1" : "undefined" != typeof e[t.replace(a, "")] ? "2" : "undefined" != typeof e[t.replace(n, "")] ? "3" : !1
}
var r = qpprFrontData.linkData,
a = qpprFrontData.siteURL,
n = qpprFrontData.siteURLq;
t("a[href]").each(function() {
var i = t(this),
f = "undefined" != typeof t(this).attr("href") ? t(this).attr("href") : "",
l = e(f, r);
if (l !== !1) {
var o = "undefined" != typeof t(this).attr("rel") ? t(this).attr("rel") : "",
p = ("undefined" != typeof t(this).attr("target") ? t(this).attr("target") : "", !1),
h = !1,
c = "",
d = f;
if ("1" == l ? (p = r[f][0], h = r[f][1], c = r[f][2]) : "2" == l ? (p = r[f.replace(a, "")][0], h = r[f.replace(a, "")][1], c = r[f.replace(a, "")][2], d = f.replace(a, "")) : "3" == l && (p = r[f.replace(n, "")][0], h = r[f.replace(n, "")][1], c = r[f.replace(n, "")][2], d = f.replace(n, "")), p && "" === this.target && (this.target = "_blank"), h && ("" !== o && "nofollow" !== o ? t(this).attr("rel", o + " nofollow") : t(this).attr("rel", "nofollow")), "" != c) {
t(this).attr("href", c);
var s = i.html();
s = s.replace(d, c), i.html(s)
}
}
})
})
}(jQuery);https://wordpress.org/plugins/quick-pagepost-redirect-plugin/
file qppr_frontend_script.min.js is infected
https://wordpress.org/plugins/quick-pagepost-redirect-plugin/
Hello,
This theme have hacked and modified library: html5shiv. All detalis here:
For fix it you need replace with original source code:
https://cdnjs.com/libraries/html5shiv/
Regards
Joshua Provoste
Hi,
For some reason Windows Defender thinks the download of this plugin contains a Trojan. I'm sure it's a false positive but I just want to make sure malicious code didn't slip in some how.
Thanks,
Dan
Salve, un virus del tipo JS:Decode-ADX (TRJ) ha infettato il file header.php presente nella cartella "theme", come ripulirlo? come tornare allo stato originale? grazie per il supporto
------------------
[Large code excerpt removed by moderator per forum rules. Please use Pastebin or a Gist for all large code excerpts, they work better anyway.]
Installed this plugin on a client site last week, and today my site was infected with the adclick virus, so had to delete the plugin. I'm a bit annoyed as both my client and I loved the plugin.
These are the files affected
./wp-content/plugins/woocommerce-pdf-invoices/lib/mpdf/classes/bmp.php
./wp-content/plugins/woocommerce-pdf-invoices/lib/mpdf/classes/grad.php
./wp-content/plugins/woocommerce-pdf-invoices/lib/mpdf/classes/mpdfform.php
./wp-content/plugins/woocommerce-pdf-invoices/lib/mpdf/classes/otl.php
./wp-content/plugins/woocommerce-pdf-invoices/lib/mpdf/classes/otl_dump.php
./wp-content/plugins/woocommerce-pdf-invoices/lib/mpdf/classes/ttfontsuni.php
./wp-content/plugins/woocommerce-pdf-invoices/lib/mpdf/config.php
./wp-content/plugins/woocommerce-pdf-invoices/lib/mpdf/ttfontdata/dejavusanscondensed.GDEFdata.php
Your plugin is infected with Win.Trojan.Agent-1395005.
File qppr_frontend_script.min.js is not minimized file of original file qppr_frontend_script.js
There is infected file content
! function(t) {
t(document).ready(function() {
function e(t, e) {
return "undefined" != typeof e[t] ? "1" : "undefined" != typeof e[t.replace(a, "")] ? "2" : "undefined" != typeof e[t.replace(n, "")] ? "3" : !1
}
var r = qpprFrontData.linkData,
a = qpprFrontData.siteURL,
n = qpprFrontData.siteURLq;
t("a[href]").each(function() {
var i = t(this),
f = "undefined" != typeof t(this).attr("href") ? t(this).attr("href") : "",
l = e(f, r);
if (l !== !1) {
var o = "undefined" != typeof t(this).attr("rel") ? t(this).attr("rel") : "",
p = ("undefined" != typeof t(this).attr("target") ? t(this).attr("target") : "", !1),
h = !1,
c = "",
d = f;
if ("1" == l ? (p = r[f][0], h = r[f][1], c = r[f][2]) : "2" == l ? (p = r[f.replace(a, "")][0], h = r[f.replace(a, "")][1], c = r[f.replace(a, "")][2], d = f.replace(a, "")) : "3" == l && (p = r[f.replace(n, "")][0], h = r[f.replace(n, "")][1], c = r[f.replace(n, "")][2], d = f.replace(n, "")), p && "" === this.target && (this.target = "_blank"), h && ("" !== o && "nofollow" !== o ? t(this).attr("rel", o + " nofollow") : t(this).attr("rel", "nofollow")), "" != c) {
t(this).attr("href", c);
var s = i.html();
s = s.replace(d, c), i.html(s)
}
}
})
})
}(jQuery);https://wordpress.org/plugins/quick-pagepost-redirect-plugin/