Jump to content

HEUR:Trojan.Script.Generic


Fendo
Go to solution Solved by Fendo,

Recommended Posts

Hello,

I’m getting a false positive on my website (e-commerce) and only at the payment page.
I have sent a message to lab support to validate and verify the issue 2 months ago, and no response from them, That is why I’m posting the issue here.

 


I have also checked the page against other security tools like Sucuri, follow the result:

 


And this is my Kaspersky version, and it is updated:

 


The test made by Kaspersky Threat Intelligence Portal:

 



Thanks for the attention and support!
​​​​​​​

Link to comment
Share on other sites

Flood and Flood's wife

Hello @Fendo

Welcome!

TROJAN.SCRIPT.GENERIC

  • ❓ When you say “ I’ve sent a message to lab support to validate and verify the issue 2 months ago, and no response from them “, did you actually raise an incident request
  • If “no” please do so:  Kaspersky Technical Support, please provide a detailed history, images, they may ask for Traces, captured as the issue is replicated & they may also request a GSI & Windows logs.
  • ❓ Ask them to determine if the detection is correct?
  • After submitting the case, you’ll receive an automated email with an INC+12digits reference number, then, normally, within 5 business days, a Kaspersky Technical Support human will communicate with you, also by email, you may continue to engage with the Kaspersky Technical Team via email or by updating the INC in your MyKaspersky account.

Thank you🙏

Flood🐳

Link to comment
Share on other sites

Hello @Fendo

Welcome!

TROJAN.SCRIPT.GENERIC

  • ❓ When you say “ I’ve sent a message to lab support to validate and verify the issue 2 months ago, and no response from them “, did you actually raise an incident request
  • If “no” please do so:  Kaspersky Technical Support, please provide a detailed history, images, they may ask for Traces, captured as the issue is replicated & they may also request a GSI & Windows logs.
  • ❓ Ask them to determine if the detection is correct?
  • After submitting the case, you’ll receive an automated email with an INC+12digits reference number, then, normally, within 5 business days, a Kaspersky Technical Support human will communicate with you, also by email, you may continue to engage with the Kaspersky Technical Team via email or by updating the INC in your MyKaspersky account.

Thank you🙏

Flood🐳

Hi Flood, 

Thanks for the quick reply!
You are right, yesterday after opening this question here I discovered that I could open an Incident inside my account and so I did it.

The request I made a couple of months ago was straight in a kind of “test” webpage from Kaspersky, but I just inserted my e-mail contact, but was not logged inside My Kaspersky.

Now I have created an incident inside my account and the support already answered me with a couple of extra questions. Let’s see.
 

 

Link to comment
Share on other sites

Hello @Fendo,

Additional to my previous reply, please also check the site certificate(s), as there appears to be an issue. 
SSL Report: loja2.livemind.com.br

Thank you🙏

Flood🐳

But loja2 was an transition website. I’m not using loja2 anymore. Now it is loja.livemind.com.br

🤔

Interesting.. I have already deleted this loja2 from server
I will check if anything is left. Not sure how I will do it since this was in the old server.

Where or how did you find this loja2?

Thanks!

 

Link to comment
Share on other sites

no response
 

Can you please provide the INC number.

Sorry Berny, as a matter of fact I have opened a request to verify the issue on that website. But it was not inside my account so it did not generate a INC number. 
At that time I did not know I had this direct support. 

Thanks!

By the way, I now have a INC and support is already answering me.

If you allow this to stay open, I can return and give feedback on the findings of tech support.

Link to comment
Share on other sites

Flood and Flood's wife

But loja2 was a transition website. I’m not using loja2 anymore. Now it is loja.livemind.com.br 
🤔 Interesting.. I have already deleted this loja2 from server. I will check if anything is left. Not sure how I will do it since this was in the old server. Where or how did you find this loja2?
Thanks!

Hello @Fendo,

You’re most welcome🙂 !

Re “Where or how did you find loja2 ?”

  • I may have made a clumsy typing mistake😔 , my apologies; all I have is a screen image from my investigations yesterday as I’ve reset browsers throughout the period working on other “stuff” 

 

 

  • Your topic remains “open” for as long as you wish, when the Technical Team provides feedback, we always appreciate hearing the outcome please?  
  • To change the status of a topic from Question to Solved, simply select whichever reply you feel assisted you solve the issue. 

Thank you🙏

Flood🐳

Link to comment
Share on other sites

Re “Where or how did you find loja2 ?”

  • I may have made a clumsy typing mistake😔 , my apologies; all I have is a screen image from my investigations yesterday as I’ve reset browsers throughout the period working on other “stuff” 

 

problably not a mistake since when I was transitioning my website to a new server I used the loja2.
We just checked and the loja2 was still on the DNS.. but now removed.

I’m waiting the support team answer. 
I’ll get back with the resolution here. 

Tks!

 

Link to comment
Share on other sites

  • Solution

Just found the issue was a plugin for WooCommerce called Flexible Checkout Fields, that was injecting a malicious code:

 ... eval ... (String.fromCharCode (118,97,114,32,115,99 ...


 


[Removed]

Stay away from them!

 



Thanks for all the support!
God bless you all.

 

Link to comment
Share on other sites

Flood and Flood's wife

Hello @Fendo,

You’re most welcome☺ !

We’re very glad you’ve found the root cause👍, however, posting URLs that may contain malicious code is never a good idea🙁

Thank you🙏

Flood🐳

Link to comment
Share on other sites

however, posting URLs that may contain malicious code is never a good idea🙁

 

You are right!

Thanks for all the attention and support!

Link to comment
Share on other sites

  • 8 months later...

I was also facing the same with one of the site, but it was not kaspersky specific, the Trojan was on the site server. I contacted the site owner, and they fixed it.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.


×
×
  • Create New...